Kazuho Oku reports:
A use-after-free vulnerability exists in H2O up to and including version 2.0.4 / 2.1.0-beta3 that can be used by a remote attacker to mount DoS attacks and / or information theft.
Check Point reports:
... discovered 3 fresh and previously unknown vulnerabilities (CVE-2016-7479, CVE-2016-7480, CVE-2016-7478) in the PHP 7 unserialize mechanism.
The first two vulnerabilities allow attackers to take full control over servers, allowing them to do anything they want with the website, from spreading malware to defacing it or stealing customer data.
The last vulnerability generates a Denial of Service attack which basically hangs the website, exhausts its memory consumption, and shuts it down.
The PHP security team issued fixes for two of the vulnerabilities on the 13th of October and 1st of December.
The PHP project reports:
- Use After Free Vulnerability in unserialize() (CVE-2016-9936)
- Invalid read when wddx decodes empty boolean element (CVE-2016-9935)
Legal Hackers reports:
An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.
To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.
The first patch of the vulnerability CVE-2016-10033 was incomplete. This advisory demonstrates the bypass of the patch. The bypass allows to carry out Remote Code Execution on all current versions (including 5.2.19).
Samba team reports:
[CVE-2016-2123] Authenticated users can supply malicious dnsRecord attributes on DNS objects and trigger a controlled memory corruption.
[CVE-2016-2125] Samba client code always requests a forwardable ticket when using Kerberos authentication. This means the target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully impersonate the authenticated user or service.
[CVE-2016-2126] A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions.
Matthew Garett reports:
Reported this to upstream 8 months ago without response, so: libupnp's default behaviour allows anyone to write to your filesystem. Seriously. Find a device running a libupnp based server (Shodan says there's rather a lot), and POST a file to /testfile. Then GET /testfile ... and yeah if the server is running as root (it is) and is using / as the web root (probably not, but maybe) this gives full host fs access.
Scott Tenaglia reports:
There is a heap buffer overflow vulnerability in the create_url_list function in upnp/src/gena/gena_device.c.
Legal Hackers reports:
An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.
To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.
The Exim project reports:
Exim leaks the private DKIM signing key to the log files. Additionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used, the key material is included in the bounce message.
Project curl Security Advisory:
libcurl's (new) internal function that returns a good 32bit random value was implemented poorly and overwrote the pointer instead of writing the value into the buffer the pointer pointed to.
This random value is used to generate nonces for Digest and NTLM authentication, for generating boundary strings in HTTP formposts and more. Having a weak or virtually non-existent random there makes these operations vulnerable.
This function is brand new in 7.52.0 and is the result of an overhaul to make sure libcurl uses strong random as much as possible - provided by the backend TLS crypto libraries when present. The faulty function was introduced in this commit.
We are not aware of any exploit of this flaw.
Squid security advisory 2016:10 reports:
Due to incorrect comparison of request headers Squid can deliver responses containing private data to clients it should not have reached.
This problem allows a remote attacker to discover private and sensitive information about another clients browsing session. Potentially including credentials which allow access to further sensitive resources. This problem only affects Squid configured to use the Collapsed Forwarding feature. It is of particular importance for HTTPS reverse-proxy sites with Collapsed Forwarding.
Squid security advisory 2016:11 reports:
Due to incorrect HTTP conditional request handling Squid can deliver responses containing private data to clients it should not have reached.
This problem allows a remote attacker to discover private and sensitive information about another clients browsing session. Potentially including credentials which allow access to further sensitive resources..
Mitre reports:
vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.
Netsparker reports:
Proof of Concept URL for XSS in Pligg CMS:
Page: groups.php
Parameter Name: keyword
Parameter Type: GET
Attack Pattern: http://example.com/pligg-cms-2.0.2/groups.php?view=search&keyword='+alert(0x000D82)+'
For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).
Multiple vulnerabilities have been discovered in the NTP suite:
CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy of Cisco ASIG.
CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS vector. Reported by Matthew Van Gundy of Cisco ASIG.
CVE-2016-7427: Broadcast Mode Replay Prevention DoS. Reported by Matthew Van Gundy of Cisco ASIG.
CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS. Reported by Matthew Van Gundy of Cisco ASIG.
CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass. Reported by Sharon Goldberg and Aanchal Malhotra of Boston University.
CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal(). Reported by Magnus Stubman.
CVE-2016-7426: Client rate limiting and server responses. Reported by Miroslav Lichvar of Red Hat.
CVE-2016-7433: Reboot sync calculation problem. Reported independently by Brian Utterback of Oracle, and by Sharon Goldberg and Aanchal Malhotra of Boston University.
A remote attacker who can send a specially crafted packet to cause a NULL pointer dereference that will crash ntpd, resulting in a Denial of Service. [CVE-2016-9311]
An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. If, against long-standing BCP recommendations, "restrict default noquery ..." is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring by an attacker from remote. [CVE-2016-9310]
An attacker with access to the NTP broadcast domain can periodically inject specially crafted broadcast mode NTP packets into the broadcast domain which, while being logged by ntpd, can cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers. [CVE-2016-7427]
An attacker with access to the NTP broadcast domain can send specially crafted broadcast mode NTP packets to the broadcast domain which, while being logged by ntpd, will cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers. [CVE-2016-7428]
Origin timestamp problems were fixed in ntp 4.2.8p6. However, subsequent timestamp validation checks introduced a regression in the handling of some Zero origin timestamp checks. [CVE-2016-7431]
If ntpd is configured to allow mrulist query requests from a server that sends a crafted malicious packet, ntpd will crash on receipt of that crafted malicious mrulist query packet. [CVE-2016-7434]
An attacker who knows the sources (e.g., from an IPv4 refid in server response) and knows the system is (mis)configured in this way can periodically send packets with spoofed source address to keep the rate limiting activated and prevent ntpd from accepting valid responses from its sources. [CVE-2016-7426]
Ntp Bug 2085 described a condition where the root delay was included twice, causing the jitter value to be higher than expected. Due to a misinterpretation of a small-print variable in The Book, the fix for this problem was incorrect, resulting in a root distance that did not include the peer dispersion. The calculations and formulas have been reviewed and reconciled, and the code has been updated accordingly. [CVE-2016-7433]
The cURL project reports:
printf floating point buffer overflow
libcurl's implementation of the printf() functions triggers a buffer overflow when doing a large floating point output. The bug occurs when the conversion outputs more than 255 bytes.
The JSST and the Joomla! Security Center report:
[20161201] - Core - Elevated Privileges
Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.
[20161202] - Core - Shell Upload
Inadequate filesystem checks allowed files with alternative PHP file extensions to be uploaded.
[20161203] - Core - Information Disclosure
Inadequate ACL checks in the Beez3 com_content article layout override enables a user to view restricted content.
The JSST and the Joomla! Security Center report:
[20161001] - Core - Account Creation
Inadequate checks allows for users to register on a site when registration has been disabled.
[20161002] - Core - Elevated Privilege
Incorrect use of unfiltered data allows for users to register on a site with elevated privileges.
[20161003] - Core - Account Modifications
Incorrect use of unfiltered data allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.
The JSST and the Joomla! Security Center report:
[20160801] - Core - ACL Violation
Inadequate ACL checks in com_content provide potential read access to data which should be access restricted to users with edit_own level.
[20160802] - Core - XSS Vulnerability
Inadequate escaping leads to XSS vulnerability in mail component.
[20160803] - Core - CSRF
Add additional CSRF hardening in com_joomlaupdate.
The JSST and the Joomla! Security Center report:
[20151206] - Core - Session Hardening
The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fixed by PHP in September of 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all versions of PHP 7 and has been back-ported in some specific Linux LTS versions of PHP 5.3). This fixes the bug across all supported PHP versions.
[20151207] - Core - SQL Injection
Inadequate filtering of request data leads to a SQL Injection vulnerability.
The Xen Project reports:
Certain PV guest kernel operations (page table writes in particular) need emulation, and use Xen's general x86 instruction emulator. This allows a malicious guest kernel which asynchronously modifies its instruction stream to effect the clearing of EFLAGS.IF from the state used to return to guest context.
A malicious guest kernel administrator can cause a host hang or crash, resulting in a Denial of Service.
Apache Software Foundation reports:
Please reference CVE/URL list for details
The Xen Project reports:
The typical behaviour of singlestepping exceptions is determined at the start of the instruction, with a #DB trap being raised at the end of the instruction. SYSCALL (and SYSRET, although we don't implement it) behave differently because the typical behaviour allows userspace to escalate its privilege. (This difference in behaviour seems to be undocumented.) Xen wrongly raised the exception based on the flags at the start of the instruction.
Guest userspace which can invoke the instruction emulator can use this flaw to escalate its privilege to that of the guest kernel.
Mitre reports:
modules/chanserv/flags.c in Atheme before 7.2.7 allows remote attackers to modify the Anope FLAGS behavior by registering and dropping the (1) LIST, (2) CLEAR, or (3) MODIFY keyword nicks.
Buffer overflow in the xmlrpc_char_encode function in modules/transport/xmlrpc/xmlrpclib.c in Atheme before 7.2.7 allows remote attackers to cause a denial of service via vectors related to XMLRPC response encoding.
Mozilla Foundation reports:
CVE-2016-9894: Buffer overflow in SkiaGL
CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements
CVE-2016-9895: CSP bypass using marquee tag
CVE-2016-9896: Use-after-free with WebVR
CVE-2016-9897: Memory corruption in libGLES
CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees
CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs
CVE-2016-9904: Cross-origin information leak in shared atoms
CVE-2016-9901: Data from Pocket server improperly sanitized before execution
CVE-2016-9902: Pocket extension does not validate the origin of events
CVE-2016-9903: XSS injection vulnerability in add-ons SDK
CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1
CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6
Jeremy Felt reports:
WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.
The Xen Project reports:
The x86 instruction CMPXCHG8B is supposed to ignore legacy operand size overrides; it only honors the REX.W override (making it CMPXCHG16B). So, the operand size is always 8 or 16. When support for CMPXCHG16B emulation was added to the instruction emulator, this restriction on the set of possible operand sizes was relied on in some parts of the emulation; but a wrong, fully general, operand size value was used for other parts of the emulation. As a result, if a guest uses a supposedly-ignored operand size prefix, a small amount of hypervisor stack data is leaked to the guests: a 96 bit leak to guests running in 64-bit mode; or, a 32 bit leak to other guests.
A malicious unprivileged guest may be able to obtain sensitive information from the host.
The PHP project reports:
This is a security release. Several security bugs were fixed in this release.
The Asterisk project reports:
The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace.
This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication.
If you do not use a proxy for authentication, then this issue does not affect you.
If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you.
If you use chan_pjsip instead of chan_sip, then this issue does not affect you.
The Asterisk project reports:
If an SDP offer or answer is received with the Opus codec and with the format parameters separated using a space the code responsible for parsing will recursively call itself until it crashes. This occurs as the code does not properly handle spaces separating the parameters. This does NOT require the endpoint to have Opus configured in Asterisk. This also does not require the endpoint to be authenticated. If guest is enabled for chan_sip or anonymous in chan_pjsip an SDP offer or answer is still processed and the crash occurs.
Multiple sources report:
CVE-2015-2141: The InvertibleRWFunction::CalculateInverse function in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key operations for the Rabin-Williams digital signature algorithm, which allows remote attackers to obtain private keys via a timing attack. Fixed in 5.6.3.
CVE-2016-3995: Incorrect implementation of Rijndael timing attack countermeasure. Fixed in 5.6.4.
CVE-2016-7420: Library built without -DNDEBUG could egress sensitive information to the filesystem via a core dump if an assert was triggered. Fixed in 5.6.5.
The bounds checking of accesses to guest memory greater than 4GB by device emulations is subject to integer overflow.
For a bhyve virtual machine with more than 3GB of guest memory configured, a malicious guest could craft device descriptors that could give it access to the heap of the bhyve process. Since the bhyve process is running as root, this may allow guests to obtain full control of the hosts they're running on.
A specially crafted argument can trigger a static buffer overflow in the library, with possibility to rewrite following static buffers that belong to other library functions.
Due to very limited use of the function in the existing applications, and limited length of the overflow, exploitation of the vulnerability does not seem feasible. None of the utilities and daemons in the base system are known to be vulnerable. However, careful review of third party software that may use the function was not performed.
An unexpected sequence of memory allocation failures combined with insufficient error checking could result in the construction and execution of an argument sequence that was not intended.
An attacker who controls the sequence of memory allocation failures and success may cause login(1) to run without authentication and may be able to cause misbehavior of login(1) replacements.
No practical way of controlling these memory allocation failures is known at this time.
mod_http2 reports:
The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply limitations on request headers correctly when experimental module for the HTTP/2 protocol is used to access a resource.
The net result is that a the server allocates too much memory instead of denying the request. This can lead to memory exhaustion of the server by a properly crafted request.
Google Chrome Releases reports:
36 security fixes in this release
Please reference CVE/URL list for details
Multiple sources report:
CVE-2016-9298: heap overflow in WaveletDenoiseImage(), fixed in ImageMagick7-7.0.3.6, discovered 2016-10-31
CVE-2016-8866: memory allocation failure in AcquireMagickMemory (incomplete previous fix for CVE-2016-8862), not fixed yet with the release of this announcement, re-discovered 2016-10-13.
CVE-2016-8862: memory allocation failure in AcquireMagickMemory, initially partially fixed in ImageMagick7-7.0.3.3, discovered 2016-09-14.
Pillow reports:
Pillow prior to 3.3.2 may experience integer overflow errors in map.c when reading specially crafted image files. This may lead to memory disclosure or corruption.
Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for negative image sizes in ImagingNew in Storage.c. A negative image size can lead to a smaller allocation than expected, leading to arbi trary writes.
Bastien Roucaries reports:
Imagemagick before 3cbfb163cff9e5b8cdeace8312e9bfee810ed02b suffer from a heap overflow in WaveletDenoiseImage(). This problem is easily trigerrable from a Perl script.
Alex Gaynor reports:
Fixed a bug where ``HKDF`` would return an empty byte-string if used with a ``length`` less than ``algorithm.digest_size``.
Daniel P. Berrange reports:
The VNC server websockets decoder will read and buffer data from websockets clients until it sees the end of the HTTP headers, as indicated by \r\n\r\n. In theory this allows a malicious to trick QEMU into consuming an arbitrary amount of RAM.
The Xen Project reports:
pygrub, the boot loader emulator, fails to quote (or sanity check) its results when reporting them to its caller.
A malicious guest administrator can obtain the contents of sensitive host files (an information leak). Additionally, a malicious guest administrator can cause files on the host to be removed, causing a denial of service. In some unusual host configurations, ability to remove certain files may be usable for privilege escalation.
The Xen Project reports:
The compiler can emit optimizations in qemu which can lead to double fetch vulnerabilities. Specifically data on the rings shared between qemu and the hypervisor (which the guest under control can obtain mappings of) can be fetched twice (during which time the guest can alter the contents) possibly leading to arbitrary code execution in qemu.
Malicious administrators can exploit this vulnerability to take over the qemu process, elevating its privilege to that of the qemu process.
In a system not using a device model stub domain (or other techniques for deprivileging qemu), malicious guest administrators can thus elevate their privilege to that of the host.
The Xen Project reports:
The x86 instructions BT, BTC, BTR, and BTS, when used with a destination memory operand and a source register rather than an immediate operand, access a memory location offset from that specified by the memory operand as specified by the high bits of the register source.
A malicious guest can modify arbitrary memory, allowing for arbitrary code execution (and therefore privilege escalation affecting the whole host), a crash of the host (leading to a DoS), or information leaks. The vulnerability is sometimes exploitable by unprivileged guest user processes.
The Xen Project reports:
Along with their main kernel binary, unprivileged guests may arrange to have their Xen environment load (kernel) symbol tables for their use. The ELF image metadata created for this purpose has a few unused bytes when the symbol table binary is in 32-bit ELF format. These unused bytes were not properly cleared during symbol table loading.
A malicious unprivileged guest may be able to obtain sensitive information from the host.
The information leak is small and not under the control of the guest, so effectively exploiting this vulnerability is probably difficult.
The Xen Project reports:
Both writes to the FS and GS register base MSRs as well as the WRFSBASE and WRGSBASE instructions require their input values to be canonical, or a #GP fault will be raised. When the use of those instructions by the hypervisor was enabled, the previous guard against #GP faults (having recovery code attached) was accidentally removed.
A malicious guest administrator can crash the host, leading to a DoS.
The Xen Project reports:
LDTR, just like TR, is purely a protected mode facility. Hence even when switching to a VM86 mode task, LDTR loading needs to follow protected mode semantics. This was violated by the code.
On SVM (AMD hardware): a malicious unprivileged guest process can escalate its privilege to that of the guest operating system.
On both SVM and VMX (Intel hardware): a malicious unprivileged guest process can crash the guest.
The Xen Project reports:
The Xen x86 emulator erroneously failed to consider the unusability of segments when performing memory accesses.
The intended behaviour is as follows: The user data segment (%ds, %es, %fs and %gs) selectors may be NULL in 32-bit to prevent access. In 64-bit, NULL has a special meaning for user segments, and there is no way of preventing access. However, in both 32-bit and 64-bit, a NULL LDT system segment is intended to prevent access.
On Intel hardware, loading a NULL selector zeros the base as well as most attributes, but sets the limit field to its largest possible value. On AMD hardware, loading a NULL selector zeros the attributes, leaving the stale base and limit intact.
Xen may erroneously permit the access using unexpected base/limit values.
Ability to exploit this vulnerability on Intel is easy, but on AMD depends in a complicated way on how the guest kernel manages LDTs.
An unprivileged guest user program may be able to elevate its privilege to that of the guest operating system.
The Xen Project reports:
Instructions touching FPU, MMX, or XMM registers are required to raise a Device Not Available Exception (#NM) when either CR0.EM or CR0.TS are set. (Their AVX or AVX-512 extensions would consider only CR0.TS.) While during normal operation this is ensured by the hardware, if a guest modifies instructions while the hypervisor is preparing to emulate them, the #NM delivery could be missed.
Guest code in one task may thus (unintentionally or maliciously) read or modify register state belonging to another task in the same VM.
A malicious unprivileged guest user may be able to obtain or corrupt sensitive information (including cryptographic material) in other programs in the same guest.
The Xen Project reports:
When the EVTCHNOP_init_control operation is called with a bad guest frame number, it takes an error path which frees a control structure without also clearing the corresponding pointer. Certain subsequent operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control), upon finding the non-NULL pointer, continue operation assuming it points to allocated memory.
A malicious guest administrator can crash the host, leading to a DoS. Arbitrary code execution (and therefore privilege escalation), and information leaks, cannot be excluded.
The Xen Project reports:
x86 HVM guests running with shadow paging use a subset of the x86 emulator to handle the guest writing to its own pagetables. There are situations a guest can provoke which result in exceeding the space allocated for internal state.
A malicious HVM guest administrator can cause Xen to fail a bug check, causing a denial of service to the host.
The Xen Project reports:
When emulating HVM instructions, Xen uses a small i-cache for fetches from guest memory. The code that handles cache misses does not check if the address from which it fetched lies within the cache before blindly writing to it. As such it is possible for the guest to overwrite hypervisor memory.
It is currently believed that the only way to trigger this bug is to use the way that Xen currently incorrectly wraps CS:IP in 16 bit modes. The included patch prevents such wrapping.
A malicious HVM guest administrator can escalate their privilege to that of the host.
The Xen Project reports:
On real hardware, a 32-bit PAE guest must leave the USER and RW bit clear in L3 pagetable entries, but the pagetable walk behaves as if they were set. (The L3 entries are cached in processor registers, and don't actually form part of the pagewalk.)
When running a 32-bit PV guest on a 64-bit Xen, Xen must always OR in the USER and RW bits for L3 updates for the guest to observe architectural behaviour. This is unsafe in combination with recursive pagetables.
As there is no way to construct an L3 recursive pagetable in native 32-bit PAE mode, disallow this option in 32-bit PV guests.
A malicious 32-bit PV guest administrator can escalate their privilege to that of the host.
Wireshark project reports:
Wireshark project is releasing Wireshark 2.2.2, which addresses:
- wnpa-sec-2016-58: Profinet I/O long loop - CVE-2016-9372
- wnpa-sec-2016-59: AllJoyn crash - CVE-2016-9374
- wnpa-sec-2016-60: OpenFlow crash - CVE-2016-9376
- wnpa-sec-2016-61: DCERPC crash - CVE-2016-9373
- wnpa-sec-2016-62: DTN infinite loop - CVE-2016-9375
The Mozilla Foundation reports:
A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.
Dawid Golunski reports:
GNU wget in version 1.17 and earlier, when used in mirroring/recursive mode, is affected by a Race Condition vulnerability that might allow remote attackers to bypass intended wget access list restrictions specified with -A parameter.
MITRE reports:
A null pointer dereference bug affects the 16.02 and many old versions of p7zip. A lack of null pointer check for the variable
folders.PackPositionsin functionCInArchive::ReadAndDecodePackedStreams, as used in the 7z.so library and in 7z applications, will cause a crash and a denial of service when decoding malformed 7z files.
The Apache Software Foundation reports:
The mod_dontdothat module of subversion and subversion clients using http(s):// are vulnerable to a denial-of-service attack, caused by exponential XML entity expansion. The attack targets XML parsers causing targeted process to consume excessive amounts of resources. The attack is also known as the "billions of laughs attack."
Mitre reports:
The HTBoundary_put_block function in HTBound.c for W3C libwww (w3c-libwww) allows remote servers to cause a denial of service (segmentation fault) via a crafted multipart/byteranges MIME message that triggers an out-of-bounds read.
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.
The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.
The Mozilla Foundation reports:
Redirection from an HTTP connection to a data: URL assigns the referring site's origin to the data: URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them.
The Roundcube project reports
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.
The Drupal development team reports:
Inconsistent name for term access query (Less critical - Drupal 7 and Drupal 8)
Drupal provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict access to certain entities by implementing hook_query_alter() or hook_query_TAG_alter() in order to add additional conditions. Queries can be distinguished by means of query tags. As the documentation on EntityFieldQuery::addTag() suggests, access-tags on entity queries normally follow the form ENTITY_TYPE_access (e.g. node_access). However, the taxonomy module's access query tag predated this system and used term_access as the query tag instead of taxonomy_term_access.
As a result, before this security release modules wishing to restrict access to taxonomy terms may have implemented an unsupported tag, or needed to look for both tags (term_access and taxonomy_term_access) in order to be compatible with queries generated both by Drupal core as well as those generated by contributed modules like Entity Reference. Otherwise information on taxonomy terms might have been disclosed to unprivileged users.
Incorrect cache context on password reset page (Less critical - Drupal 8)
The user password reset form does not specify a proper cache context, which can lead to cache poisoning and unwanted content on the page.
Confirmation forms allow external URLs to be injected (Moderately critical - Drupal 7)
Under certain circumstances, malicious users could construct a URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form, thereby exposing the users to potential social engineering attacks.
Denial of service via transliterate mechanism (Moderately critical - Drupal 8)
A specially crafted URL can cause a denial of service via the transliterate mechanism.
Please reference CVE/URL list for details
LegalHackers' reports:
RCE Bugs discovered in MySQL and its variants like MariaDB. It works by manipulating my.cnf files and using --malloc-lib. The bug seems fixed in MySQL 5.7.15 by Oracle
Network Time Foundation reports:
NTF's NTP Project is releasing ntp-4.2.8p9, which addresses:
- 1 HIGH severity vulnerability that only affects Windows
- 2 MEDIUM severity vulnerabilities
- 2 MEDIUM/LOW severity vulnerabilities
- 5 LOW severity vulnerabilities
- 28 other non-security fixes and improvements
All of the security issues in this release are listed in VU#633847.
Teeworlds project reports:
Attacker controlled memory-writes and possibly arbitrary code execution on the client, abusable by any server the client joins
Jenkins Security Advisory:
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.
Marina Glancy reports:
MSA-16-0023: Question engine allows access to files that should not be available
MSA-16-0024: Non-admin site managers may accidentally edit admins via web services
MSA-16-0025: Capability to view course notes is checked in the wrong context
MSA-16-0026: When debugging is enabled, error exceptions returned from webservices could contain private data
Marina Glancy reports:
MSA-16-0022: Web service tokens should be invalidated when the user password is changed or forced to be changed.
Mozilla Foundation reports:
Please reference CVE/URL list for details
Debian reports:
smogrify script creates insecure temporary files.
lives creates and uses world-writable directory.
OpenSSL reports:
- ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
Severity: High
TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.- CMS Null dereference (CVE-2016-7053)
Severity: Medium
Applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected.- Montgomery multiplication may produce incorrect results (CVE-2016-7055)i
Severity: Low
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits.
Google Chrome Releases reports:
4 security fixes in this release, including:
- [643948] High CVE-2016-5199: Heap corruption in FFmpeg. Credit to Paul Mehta
- [658114] High CVE-2016-5200: Out of bounds memory access in V8. Credit to Choongwoo Han
- [660678] Medium CVE-2016-5201: Info leak in extensions. Credit to Rob Wu
- [662843] CVE-2016-5202: Various fixes from internal audits, fuzzing and other initiatives
Adobe reports:
- These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-7860, CVE-2016-7861, CVE-2016-7865).
- These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-7857, CVE-2016-7858, CVE-2016-7859, CVE-2016-7862, CVE-2016-7863, CVE-2016-7864).
GitLab reports:
The import/export feature did not properly check for symbolic links in user-provided archives and therefore it was possible for an authenticated user to retrieve the contents of any file accessible to the GitLab service account. This included sensitive files such as those that contain secret tokens used by the GitLab service to authenticate users.
Google Chrome Releases reports:
[659475] High CVE-2016-5198: Out of bounds memory access in V8. Credit to Tencent Keen Security Lab, working with Trend Micro's Zero Day Initiative.
Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages.
A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack.
The Django project reports:
Today the Django team released Django 1.10.3, Django 1.9.11, and 1.8.16. These releases addresses two security issues detailed below. We encourage all users of Django to upgrade as soon as possible.
- User with hardcoded password created when running tests on Oracle
- DNS rebinding vulnerability when DEBUG=True
The cURL project reports
- cookie injection for other servers
- case insensitive password comparison
- OOB write via unchecked multiplication
- double-free in curl_maprintf
- double-free in krb5 code
- glob parser write/read out of bounds
- curl_getdate read out of bounds
- URL unescape heap overflow via integer truncation
- Use-after-free via shared cookies
- invalid URL parsing with '#'
- IDNA 2003 makes curl use wrong host
ISC reports:
A defect in BIND's handling of responses containing a DNAME answer can cause a resolver to exit after encountering an assertion failure in db.c or resolver.c
Cisco Talos reports:
Multiple integer overflow vulnerabilities exist within Memcached that could be exploited to achieve remote code execution on the targeted system. These vulnerabilities manifest in various Memcached functions that are used in inserting, appending, prepending, or modifying key-value data pairs. Systems which also have Memcached compiled with support for SASL authentication are also vulnerable to a third flaw due to how Memcached handles SASL authentication commands.
An attacker could exploit these vulnerabilities by sending a specifically crafted Memcached command to the targeted server. Additionally, these vulnerabilities could also be exploited to leak sensitive process information which an attacker could use to bypass common exploitation mitigations, such as ASLR, and can be triggered multiple times. This enables reliable exploitation which makes these vulnerabilities severe.
The MariaDB project reports:
Fixes for the following security vulnerabilities:
- CVE-2016-7440
- CVE-2016-5584
Google Chrome Releases reports:
21 security fixes in this release, including:
- [645211] High CVE-2016-5181: Universal XSS in Blink. Credit to Anonymous
- [638615] High CVE-2016-5182: Heap overflow in Blink. Credit to Giwan Go of STEALIEN
- [645122] High CVE-2016-5183: Use after free in PDFium. Credit to Anonymous
- [630654] High CVE-2016-5184: Use after free in PDFium. Credit to Anonymous
- [621360] High CVE-2016-5185: Use after free in Blink. Credit to cloudfuzzer
- [639702] High CVE-2016-5187: URL spoofing. Credit to Luan Herrera
- [565760] Medium CVE-2016-5188: UI spoofing. Credit to Luan Herrera
- [633885] Medium CVE-2016-5192: Cross-origin bypass in Blink. Credit to haojunhou@gmail.com
- [646278] Medium CVE-2016-5189: URL spoofing. Credit to xisigr of Tencent's Xuanwu Lab
- [644963] Medium CVE-2016-5186: Out of bounds read in DevTools. Credit to Abdulrahman Alqabandi (@qab)
- [639126] Medium CVE-2016-5191: Universal XSS in Bookmarks. Credit to Gareth Hughes
- [642067] Medium CVE-2016-5190: Use after free in Internals. Credit to Atte Kettunen of OUSPG
- [639658] Low CVE-2016-5193: Scheme bypass. Credit to Yuyang ZHOU (martinzhou96)
- [654782] CVE-2016-5194: Various fixes from internal audits, fuzzing and other initiatives
Google Chrome Releases reports:
3 security fixes in this release, including:
- [642496] High CVE-2016-5177: Use after free in V8. Credit to Anonymous
- [651092] CVE-2016-5178: Various fixes from internal audits, fuzzing and other initiatives.
When processing the SSH_MSG_KEXINIT message, the server could allocate up to a few hundreds of megabytes of memory per each connection, before any authentication take place.
A remote attacker may be able to cause a SSH server to allocate an excessive amount of memory. Note that the default MaxStartups setting on FreeBSD will limit the effectiveness of this attack.
Todd C. Miller reports:
A flaw exists in sudo's noexec functionality that may allow a user with sudo privileges to run additional commands even when the NOEXEC tag has been applied to a command that uses the wordexp() function.
Apache Axis2 reports:
Apache Axis2 1.7.4 is a maintenance release that includes fixes for several issues, including the following security issues: Session fixation (AXIS2-4739) and XSS (AXIS2-5683) vulnerabilities affecting the admin console. A dependency on an Apache HttpClient version affected by known security vulnerabilities (CVE-2012-6153 and CVE-2014-3577); see AXIS2-5757.
Node.js has released new versions containing the following security fix:
The following releases all contain fixes for CVE-2016-5180 "ares_create_query single byte out of buffer write": Node.js v0.10.48 (Maintenance), Node.js v0.12.17 (Maintenance), Node.js v4.6.1 (LTS "Argon")
While this is not a critical update, all users of these release lines should upgrade at their earliest convenience.
Node.js v6.9.0 LTS contains the following security fixes, specific to v6.x:
Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL configuration file, from the OPENSSL_CONF environment variable or from the default location for the current platform. Always triggering a configuration file load attempt may allow an attacker to load compromised OpenSSL configuration into a Node.js process if they are able to place a file in a default location.
Patched V8 arbitrary memory read (CVE-2016-5172): The V8 parser mishandled scopes, potentially allowing an attacker to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. This vulnerability would require an attacker to be able to execute arbitrary JavaScript code in a Node.js process.
Create a unique v8_inspector WebSocket address: Generate a UUID for each execution of the inspector. This provides additional security to prevent unauthorized clients from connecting to the Node.js process via the v8_inspector port when running with --inspect. Since the debugging protocol allows extensive access to the internals of a running process, and the execution of arbitrary code, it is important to limit connections to authorized tools only. Note that the v8_inspector protocol in Node.js is still considered an experimental feature. Vulnerability originally reported by Jann Horn.
All of these vulnerabilities are considered low-severity for Node.js users, however, users of Node.js v6.x should upgrade at their earliest convenience.
urllib3 reports:
CVE-2016-9015: Certification verification failure
Adobe reports:
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address a critical vulnerability that could potentially allow an attacker to take control of the affected system.
Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10.
An unchecked array reference in the VGA device emulation code could potentially allow guests access to the heap of the bhyve process. Since the bhyve process is running as root, this may allow guests to obtain full control of the hosts they are running on.
For bhyve virtual machines with the "fbuf" framebuffer device configured, if exploited, a malicious guest could obtain full access to not just the host system, but to other virtual machines running on the system.
Adobe reports:
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2016-6992).
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-6981, CVE-2016-6987).
These updates resolve a security bypass vulnerability (CVE-2016-4286).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4273, CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6989, CVE-2016-6990).
Mozilla Foundation reports:
CVE-2016-5287: Crash in nsTArray_base<T>::SwapArrayElements
CVE-2016-5288: Web content can read cache entries
Apache Axis2 reports:
Apache Axis2 1.7.3 is a security release that contains a fix for CVE-2010-3981. That security vulnerability affects the admin console that is part of the Axis2 Web application and was originally reported for SAP BusinessObjects (which includes a version of Axis2). That report didn’t mention Axis2 at all and the Axis2 project only recently became aware (thanks to Devesh Bhatt and Nishant Agarwala) that the issue affects Apache Axis2 as well.
The Tor Blog reports:
Prevent a class of security bugs caused by treating the contents of a buffer chunk as if they were a NUL-terminated string. At least one such bug seems to be present in all currently used versions of Tor, and would allow an attacker to remotely crash most Tor instances, especially those compiled with extra compiler hardening. With this defense in place, such bugs can't crash Tor, though we should still fix them as they occur. Closes ticket 20384 (TROVE-2016-10-001).
Ruby Security team reports:
There is a possible XSS vulnerability in Action View. Text declared as "HTML safe" will not have quotes escaped when used as attribute values in tag helpers. This vulnerability has been assigned the CVE identifier CVE-2016-6316.
Ruby Security team reports:
There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing. This vulnerability has been assigned the CVE identifier CVE-2016-6317. This vulnerability is similar to CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155.
PHP reports:
Fixed bug #73007 (add locale length check)
Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields)
Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile)
Fixed bug #73029 (Missing type check when unserializing SplArray)
Fixed bug #73052 (Memory Corruption in During Deserialized-object Destruction)
Fixed bug #72860 (wddx_deserialize use-after-free)
Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element)
PHP reports:
Fixed bug #73007 (add locale length check)
Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields)
Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile)
Fixed bug #73029 (Missing type check when unserializing SplArray)
Fixed bug #73052 (Memory Corruption in During Deserialized-object Destruction)
Fixed bug #72860 (wddx_deserialize use-after-free)
Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element)
reports:
File Roller 3.5.4 through 3.20.2 was affected by a path traversal bug that could result in deleted files if a user were tricked into opening a malicious archive.
Oracle reports reports:
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 4.0.34, 4.1.42, 4.2.34, 4.3.32, and 5.0.8, when using a Windows guest, allows local users to affect availability via unknown vectors related to Core.
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.0.34, 4.1.42, 4.2.34, 4.3.32, and 5.0.8, when a VM has the Remote Display feature (RDP) enabled, allows remote attackers to affect availability via unknown vectors related to Core.
Debian reports:
Various memory handling problems and cases of missing or incomplete input sanitizing may result in denial of service or the execution of arbitrary code if malformed SIXEL, PDB, MAP, SGI, TIFF and CALS files are processed.
LibGD reports:
An integer overflow issue was found in function gdImageWebpCtx of file gd_webp.c which could lead to heap buffer overflow.
Nicolas Ruff reports:
Integer overflow in MallocFrameBuffer() on client side.
Lack of malloc() return value checking on client side.
Server crash on a very large ClientCutText message.
Server crash when scaling factor is set to zero.
Multiple stack overflows in File Transfer feature.
Apache reports:
The exposure exploits the way OLE previews are generated to embed arbitrary file data into a specially crafted document when it is opened. Data exposure is possible if the updated document is distributed to other parties.
Tobias Kortkamp reports:
Heap-based buffer overflow in the pdf_load_mesh_params function in pdf/pdf-shade.c in MuPDF allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a large decode array.
Use-after-free vulnerability in the pdf_load_xref function in pdf/pdf-xref.c in MuPDF allows remote attackers to cause a denial of service (crash) via a crafted PDF file.
Tencent's Xuanwu LAB reports:
A Heap Buffer Overflow (Out-of-Bounds Write) issue was found in function opj_dwt_interleave_v of dwt.c. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OpenJPEG.
An integer overflow issue exists in function opj_pi_create_decode of pi.c. It can lead to Out-Of-Bounds Read and Out-Of-Bounds Write in function opj_pi_next_cprl of pi.c (function opj_pi_next_lrcp, opj_pi_next_rlcp, opj_pi_next_rpcl, opj_pi_next_pcrl may also be vulnerable). This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OpenJPEG.
Redis team reports:
The redis-cli history file (in linenoise) is created with the default OS umask value which makes it world readable in most systems and could potentially expose authentication credentials to other users.
Flaws in libarchive's handling of symlinks and hard links allow overwriting files outside the extraction directory, or permission changes to a directory outside the extraction directory.
An attacker who can control freebsd-update's or portsnap's input to tar(1) can change file content or permissions on files outside of the update tool's working sandbox.
Flaws in portsnap's verification of downloaded tar files allows additional files to be included without causing the verification to fail. Portsnap may then use or execute these files.
An attacker who can conduct man in the middle attack on the network at the time when portsnap is run can cause portsnap to execute arbitrary commands under the credentials of the user who runs portsnap, typically root.
The implementation of bspatch is susceptible to integer overflows with carefully crafted input, potentially allowing an attacker who can control the patch file to write at arbitrary locations in the heap. This issue was partially addressed in FreeBSD-SA-16:25.bspatch, but some possible integer overflows remained.
An attacker who can control the patch file can cause a crash or run arbitrary code under the credentials of the user who runs bspatch, in many cases, root.
Moritz Bunkus reports:
most of the bugs fixed on 2016-09-06 and 2016-09-07 for issue #1780 are potentially exploitable. The scenario is arbitrary code execution with specially-crafted files.
Matthieu Herrb reports:
Tobias Stoeckmann from the OpenBSD project has discovered a number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Org's security team to analyze, confirm, and fix these issues. These issue come in addition to the ones discovered by Ilja van Sprundel in 2013.
Most of these issues stem from the client libraries trusting the server to send correct protocol data, and not verifying that the values will not overflow or cause other damage. Most of the time X clients and servers are run by the same user, with the server more privileged than the clients, so this is not a problem, but there are scenarios in which a privileged client can be connected to an unprivileged server, for instance, connecting a setuid X client (such as a screen lock program) to a virtual X server (such as Xvfb or Xephyr) which the user has modified to return invalid data, potentially allowing the user to escalate their privileges.
ISC reports:
Testing by ISC has uncovered a critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria.
Django Software Foundation reports:
An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.
OpenSSL reports:
Critical vulnerability in OpenSSL 1.1.0a
Fix Use After Free for large message sizes (CVE-2016-6309)Moderate vulnerability in OpenSSL 1.0.2i
Missing CRL sanity check (CVE-2016-7052)
OpenSSL reports:
High: OCSP Status Request extension unbounded memory growth
SSL_peek() hang on empty record
SWEET32 Mitigation
OOB write in MDC2_Update()
Malformed SHA512 ticket DoS
OOB write in BN_bn2dec()
OOB read in TS_OBJ_print_bio()
Pointer arithmetic undefined behaviour
Constant time flag not preserved in DSA signing
DTLS buffered message DoS
DTLS replay protection DoS
Certificate message OOB reads
Excessive allocation of memory in tls_get_message_header()
Excessive allocation of memory in dtls1_preprocess_fragment()
NB: LibreSSL is only affected by CVE-2016-6304
Irssi reports:
Remote crash and heap corruption. Remote code execution seems difficult since only Nuls are written.
Mozilla Foundation reports:
CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]
CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]
CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]
CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]
CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]
CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]
CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]
CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]
CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]
CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]
CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]
CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]
CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]
CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]
CVE-2016-5281 - use-after-free in DOMSVGLength [high]
CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]
CVE-2016-5283 - <iframe src> fragment timing attack can reveal cross-origin data [high]
CVE-2016-5284 - Add-on update site certificate pin expiration [high]
Google Chrome Releases reports:
Several security fixes in this release, including:
- [641101] High CVE-2016-5170: Use after free in Blink.Credit to Anonymous
- [643357] High CVE-2016-5171: Use after free in Blink. Credit to Anonymous
- [616386] Medium CVE-2016-5172: Arbitrary Memory Read in v8. Credit to Choongwoo Han
- [468931] Medium CVE-2016-5173: Extension resource access. Credit to Anonymous
- [579934] Medium CVE-2016-5174: Popup not correctly suppressed. Credit to Andrey Kovalev (@L1kvID) Yandex Security Team
- [646394] CVE-2016-5175: Various fixes from internal audits, fuzzing and other initiatives.
LegalHackers' reports:
RCE Bugs discovered in MySQL and its variants like MariaDB. It works by manipulating my.cnf files and using --malloc-lib. The bug seems fixed in MySQL 5.7.15 by Oracle
Matt Johnston reports:
If specific usernames including "%" symbols can be created on a system (validated by getpwnam()) then an attacker could run arbitrary code as root when connecting to Dropbear server. A dbclient user who can control username or host arguments could potentially run arbitrary code as the dbclient user. This could be a problem if scripts or webpages pass untrusted input to the dbclient program.
dropbearconvert import of OpenSSH keys could run arbitrary code as the local dropbearconvert user when parsing malicious key files.
dbclient could run arbitrary code as the local dbclient user if particular -m or -c arguments are provided. This could be an issue where dbclient is used in scripts.
dbclient or dropbear server could expose process memory to the running user if compiled with DEBUG_TRACE and running with -v
Frederik Deweerdt reported a denial-of-service attack vector due to an unhandled error condition during socket connection.
The cURL project reports
The four libcurl functions curl_escape(), curl_easy_escape(), curl_unescape and curl_easy_unescape perform string URL percent escaping and unescaping. They accept custom string length inputs in signed integer arguments.
The provided string length arguments were not properly checked and due to arithmetic in the functions, passing in the length 0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up causing an allocation of zero bytes of heap memory that curl would attempt to write gigabytes of data into.
Google Chrome Releases reports:
33 security fixes in this release
Please reference CVE/URL list for details
Google Chrome Releases reports:
10 security fixes in this release, including:
- [629542] High CVE-2016-5141 Address bar spoofing. Credit to anonymous
- [626948] High CVE-2016-5142 Use-after-free in Blink. Credit to anonymous
- [625541] High CVE-2016-5139 Heap overflow in pdfium. Credit to GiWan Go of Stealien
- [619405] High CVE-2016-5140 Heap overflow in pdfium. Credit to Ke Liu of Tencent's Xuanwu LAB
- [623406] Medium CVE-2016-5145 Same origin bypass for images in Blink. Credit to anonymous
- [619414] Medium CVE-2016-5143 Parameter sanitization failure in DevTools. Credit to Gregory Panakkal
- [618333] Medium CVE-2016-5144 Parameter sanitization failure in DevTools. Credit to Gregory Panakkal
- [633486] CVE-2016-5146: Various fixes from internal audits, fuzzing and other initiatives.
Dawid Golunski reports:
An independent research has revealed multiple severe MySQL vulnerabilities. This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences.
Florian Weimer of Redhat discovered that an optimization in RSA signature validation can result in disclosure of the server's private key under certain fault conditions.
Sebastian Ramacher identified an error in wolfSSL's implementation of the server side of the DTLS handshake, which could be abused for DDoS amplification or a DoS on the DTLS server itself.
gnutls.org reports:
Stefan Bühler discovered an issue that affects validation of certificates using OCSP responses, which can falsely report a certificate as valid under certain circumstances.
Mozilla Foundation reports:
Please reference CVE/URL list for details
The Asterisk project reports:
The overlap dialing feature in chan_sip allows chan_sip to report to a device that the number that has been dialed is incomplete and more digits are required. If this functionality is used with a device that has performed username/password authentication RTP resources are leaked. This occurs because the code fails to release the old RTP resources before allocating new ones in this scenario. If all resources are used then RTP port exhaustion will occur and no RTP sessions are able to be set up.
If overlap dialing support is not needed the "allowoverlap" option can be set to no. This will stop any usage of the scenario which causes the resource exhaustion.
The Asterisk project reports:
Asterisk can be crashed remotely by sending an ACK to it from an endpoint username that Asterisk does not recognize. Most SIP request types result in an "artificial" endpoint being looked up, but ACKs bypass this lookup. The resulting NULL pointer results in a crash when attempting to determine if ACLs should be applied.
This issue was introduced in the Asterisk 13.10 release and only affects that release.
This issue only affects users using the PJSIP stack with Asterisk. Those users that use chan_sip are unaffected.
Adam reports:
A serious vulnerability exists in when using m_sasl in combination with any services that support SASL EXTERNAL. To be vulnerable you must have m_sasl loaded, and have services which support SASL EXTERNAL authentication.
The late Tokio Kikuchi reported:
We may have to set lifetime for input forms because of recent activities on cross-site request forgery (CSRF). The form lifetime is successfully deployed in frameworks like web.py or plone etc. Proposed branch lp:~tkikuchi/mailman/form-lifetime implement lifetime in admin, admindb, options and edithtml interfaces. [...]
The web admin interface has been hardened against CSRF attacks by adding a hidden, encrypted token with a time stamp to form submissions and not accepting authentication by cookie if the token is missing, invalid or older than the new mm_cfg.py setting FORM_LIFETIME which defaults to one hour. Posthumous thanks go to Tokio Kikuchi for this implementation [...].
The OpenSSH project reports:
* sshd(8): Mitigate timing differences in password authentication that could be used to discern valid from invalid account names when long passwords were sent and particular password hashing algorithms are in use on the server. CVE-2016-6210, reported by EddieEzra.Harari at verint.com
* sshd(8): (portable only) Ignore PAM environment vars when UseLogin=yes. If PAM is configured to read user-specified environment variables and UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login via LD_PRELOAD or similar environment variables set via PAM. CVE-2015-8325, found by Shayan Sadigh.
Mark Sapiro reports:
CSRF protection has been extended to the user options page. This was actually fixed by Tokio Kikuchi as part of the fix for LP: #775294 and intended for Mailman 2.1.15, but that fix wasn't completely merged at the time. The full fix also addresses the admindb, and edithtml pages as well as the user options page and the previously fixed admin pages. Thanks to Nishant Agarwala for reporting the issue.
Daniel Veillard reports:
More format string warnings with possible format string vulnerability (David Kilzer)
Avoid building recursive entities (Daniel Veillard)
Heap-based buffer overread in htmlCurrentChar (Pranjal Jumde)
Heap-based buffer-underreads due to xmlParseName (David Kilzer)
Heap use-after-free in xmlSAX2AttributeNs (Pranjal Jumde)
Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral (Pranjal Jumde)
Fix some format string warnings with possible format string vulnerability (David Kilzer)
Detect change of encoding when parsing HTML names (Hugh Davenport)
Fix inappropriate fetch of entities content (Daniel Veillard)
Bug 759398: Heap use-after-free in xmlDictComputeFastKey (Pranjal Jumde)
Bug 758605: Heap-based buffer overread in xmlDictAddString (Pranjal Jumde)
Bug 758588: Heap-based buffer overread in xmlParserPrintFileContextInternal (David Kilzer)
Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup (Pranjal Jumde)
Add missing increments of recursion depth counter to XML parser. (Peter Simons)
Fix NULL pointer deref in XPointer range-to
David Faure reports:
A maliciously crafted archive (.zip or .tar.bz2) with "../" in the file paths could be offered for download via the KNewStuff framework (e.g. on www.kde-look.org), and upon extraction would install files anywhere in the user's home directory.
Felix Riemann reports:
CVE-2016-6855 out-of-bounds write in eog 3.10.2.
Debian security team reports:
Tobias Stoeckmann discovered that cache files are insufficiently validated in fontconfig, a generic font configuration library. An attacker can trigger arbitrary free() calls, which in turn allows double free attacks and therefore arbitrary code execution. In combination with setuid binaries using crafted cache files, this could allow privilege escalation.
These packages have reached End of Life status and/or have been removed from the Ports Tree. They may contain undocumented security issues. Please take caution and find alternative software as soon as possible.
Werner Koch reports:
There was a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions.
The phpmyadmin development team reports:
Weakness with cookie encryption
Multiple XSS vulnerabilities
Multiple XSS vulnerabilities
PHP code injection
Full path disclosure
SQL injection attack
Local file exposure
Local file exposure through symlinks with UploadDir
Path traversal with SaveDir and UploadDir
Multiple XSS vulnerabilities
SQL injection attack
SQL injection attack
Denial of service (DOS) attack in transformation feature
SQL injection attack as control user
Unvalidated data passed to unserialize()
DOS attack with forced persistent connections
Denial of service (DOS) attack by for loops
IPv6 and proxy server IP-based authentication rule circumvention
Detect if user is logged in
Bypass URL redirect protection
Referrer leak in url.php
Reflected File Download attack
ArbitraryServerRegexp bypass
Denial of service (DOS) attack by changing password to a very long string
Remote code execution vulnerability when run as CGI
Summary
Denial of service (DOS) attack with dbase extension
Remote code execution vulnerability when PHP is running with dbase extension
Hanz Jenson audit report:
I found 10 vulnerabilities. Some of these are critical and allow remote code execution. For the average user, that means that these vulnerabilities can be exploited by a malicious attacker in order to take over any Teamspeak server, not only becoming serveradmin, but getting a shell on the affected machine.
Puppet reports:
Puppet Enterprise previously included a puppet-agent MCollective plugin that allowed you to pass the `--server` argument to MCollective. This insecure argument enabled remote code execution via connection to an untrusted host. The puppet-agent MCollective version included in PE 2016.2.1, this option is disabled by default.
The implementation of bspatch does not check for a negative value on numbers of bytes read from the diff and extra streams, allowing an attacker who can control the patch file to write at arbitrary locations in the heap.
This issue was first discovered by The Chromium Project and reported independently by Lu Tung-Pin to the FreeBSD project.
An attacker who can control the patch file can cause a crash or run arbitrary code under the credentials of the user who runs bspatch, in many cases, root.
Multiple vulnerabilities have been discovered in the NTP suite:
The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that could cause ntpd to crash. [CVE-2016-4957, Reported by Nicolas Edet of Cisco]
An attacker who knows the origin timestamp and can send a spoofed packet containing a CRYPTO-NAK to an ephemeral peer target before any other response is sent can demobilize that association. [CVE-2016-4953, Reported by Miroslav Lichvar of Red Hat]
An attacker who is able to spoof packets with correct origin timestamps from enough servers before the expected response packets arrive at the target machine can affect some peer variables and, for example, cause a false leap indication to be set. [CVE-2016-4954, Reported by Jakub Prokes of Red Hat]
An attacker who is able to spoof a packet with a correct origin timestamp before the expected response packet arrives at the target machine can send a CRYPTO_NAK or a bad MAC and cause the association's peer variables to be cleared. If this can be done often enough, it will prevent that association from working. [CVE-2016-4955, Reported by Miroslav Lichvar of Red Hat]
The fix for NtpBug2978 does not cover broadcast associations, so broadcast clients can be triggered to flip into interleave mode. [CVE-2016-4956, Reported by Miroslav Lichvar of Red Hat.]
Malicious remote attackers may be able to break time synchronization, or cause the ntpd(8) daemon to crash.
The implementation of historic stat(2) system call does not clear the output struct before copying it out to userland.
An unprivileged user can read a portion of uninitialised kernel stack data, which may contain sensitive information, such as the stack guard, portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges.
The implementation of the TIOCGSERIAL ioctl(2) does not clear the output struct before copying it out to userland.
The implementation of the Linux sysinfo() system call does not clear the output struct before copying it out to userland.
An unprivileged user can read a portion of uninitialised kernel stack data, which may contain sensitive information, such as the stack guard, portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges.
Incorrect argument handling in the socket code allows malicious local user to overwrite large portion of the kernel memory.
Malicious local user may crash kernel or execute arbitrary code in the kernel, potentially gaining superuser privileges.
Incorrect signedness comparison in the ioctl(2) handler allows a malicious local user to overwrite a portion of the kernel memory.
A local user may crash the kernel, read a portion of kernel memory and execute arbitrary code in kernel context. The result of executing an arbitrary kernel code is privilege escalation.
A special combination of sysarch(2) arguments, specify a request to uninstall a set of descriptors from the LDT. The start descriptor is cleared and the number of descriptors are provided. Due to lack of sufficient bounds checking during argument validity verification, unbound zero'ing of the process LDT and adjacent memory can be initiated from usermode.
This vulnerability could cause the kernel to panic. In addition it is possible to perform a local Denial of Service against the system by unprivileged processes.
A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP3) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN. [CVE-2016-0800]
A double free bug was discovered when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources. This scenario is considered rare. [CVE-2016-0705]
The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases. [CVE-2016-0798]
In the BN_hex2bn function, the number of hex digits is calculated using an int value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values of |i| this can result in |bn_expand| not allocating any memory because |i * 4| is negative. This can leave the internal BIGNUM data field as NULL leading to a subsequent NULL pointer dereference. For very large values of |i|, the calculation |i * 4| could be a positive value smaller than |i|. In this case memory is allocated to the internal BIGNUM data field, but it is insufficiently sized leading to heap corruption. A similar issue exists in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with very large untrusted hex/dec data. This is anticipated to be a rare occurrence. [CVE-2016-0797]
The internal |fmtstr| function used in processing a "%s" formatted string in the BIO_*printf functions could overflow while calculating the length of a string and cause an out-of-bounds read when printing very long strings. [CVE-2016-0799]
A side-channel attack was found which makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA keys. [CVE-2016-0702]
s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If clear-key bytes are present for these ciphers, they displace encrypted-key bytes. [CVE-2016-0703]
s2_srvr.c overwrites the wrong bytes in the master key when applying Bleichenbacher protection for export cipher suites. [CVE-2016-0704]
Servers that have SSLv2 protocol enabled are vulnerable to the "DROWN" attack which allows a remote attacker to fast attack many recorded TLS connections made to the server, even when the client did not make any SSLv2 connections themselves.
An attacker who can supply malformed DSA private keys to OpenSSL applications may be able to cause memory corruption which would lead to a Denial of Service condition. [CVE-2016-0705]
An attacker connecting with an invalid username can cause memory leak, which could eventually lead to a Denial of Service condition. [CVE-2016-0798]
An attacker who can inject malformed data into an application may be able to cause memory corruption which would lead to a Denial of Service condition. [CVE-2016-0797, CVE-2016-0799]
A local attacker who has control of code in a thread running on the same hyper-threaded core as the victim thread which is performing decryptions could recover RSA keys. [CVE-2016-0702]
An eavesdropper who can intercept SSLv2 handshake can conduct an efficient divide-and-conquer key recovery attack and use the server as an oracle to determine the SSLv2 master-key, using only 16 connections to the server and negligible computation. [CVE-2016-0703]
An attacker can use the Bleichenbacher oracle, which enables more efficient variant of the DROWN attack. [CVE-2016-0704]
A programming error in the Linux compatibility layer could cause the issetugid(2) system call to return incorrect information.
If an application relies on output of the issetugid(2) system call and that information is incorrect, this could lead to a privilege escalation.
The SNMP protocol supports an authentication model called USM, which relies on a shared secret. The default permission of the snmpd configuration file, /etc/snmpd.config, is weak and does not provide adequate protection against local unprivileged users.
A local user may be able to read the shared secret, if configured and used by the system administrator.
A programming error in processing a TCP connection with both TCP_MD5SIG and TCP_NOOPT socket options may lead to kernel crash.
A local attacker can crash the kernel, resulting in a denial-of-service.
A remote attack is theoretically possible, if server has a listening socket with TCP_NOOPT set, and server is either out of SYN cache entries, or SYN cache is disabled by configuration.
A programming error in the Linux compatibility layer setgroups(2) system call can lead to an unexpected results, such as overwriting random kernel memory contents.
It is possible for a local attacker to overwrite portions of kernel memory, which may result in a privilege escalation or cause a system panic.
A programming error in the handling of Linux futex robust lists may result in incorrect memory locations being accessed.
It is possible for a local attacker to read portions of kernel memory, which may result in a privilege escalation.
A lack of proper input checks in the ICMPv6 processing in the SCTP stack can lead to either a failed kernel assertion or to a NULL pointer dereference. In either case, a kernel panic will follow.
A remote, unauthenticated attacker can reliably trigger a kernel panic in a vulnerable system running IPv6. Any kernel compiled with both IPv6 and SCTP support is vulnerable. There is no requirement to have an SCTP socket open.
IPv4 ICMP processing is not impacted by this vulnerability.
In rpcbind(8), netbuf structures are copied directly, which would result in two netbuf structures that reference to one shared address buffer. When one of the two netbuf structures is freed, access to the other netbuf structure would result in an undefined result that may crash the rpcbind(8) daemon.
A remote attacker who can send specifically crafted packets to the rpcbind(8) daemon can cause it to crash, resulting in a denial of service condition.
If the kernel-mode IRET instruction generates an #SS or #NP exception, but the exception handler does not properly ensure that the right GS register base for kernel is reloaded, the userland GS segment may be used in the context of the kernel exception handler.
By causing an IRET with #SS or #NP exceptions, a local attacker can cause the kernel to use an arbitrary GS base, which may allow escalated privileges or panic the system.
Multiple integer overflows have been discovered in the XML_GetBuffer() function in the expat library.
The integer overflows may be exploited by using specifically crafted XML data and lead to infinite loop, or a heap buffer overflow, which results in a Denial of Service condition, or enables remote attackers to execute arbitrary code.
The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network.
Upon receipt of a query from a source which is not on a directly connected network, routed(8) will trigger an assertion and terminate. The affected system's routing table will no longer be updated. If the affected system is a router, its routes will eventually expire from other routers' routing tables, and its networks will no longer be reachable unless they are also connected to another router.
Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to pass certain ed(1) scripts to the ed(1) editor, which would run commands.
This issue could be exploited to execute arbitrary commands as the user invoking patch(1) against a specially crafted patch file, which could be leveraged to obtain elevated privileges.
There is a mistake with the introduction of VNET, which converted the global limit on the number of segments that could belong to reassembly queues into a per-VNET limit. Because mbufs are allocated from a global pool, in the presence of a sufficient number of VNETs, the total number of mbufs attached to reassembly queues can grow to the total number of mbufs in the system, at which point all network traffic would cease.
An attacker who can establish concurrent TCP connections across a sufficient number of VNETs and manipulate the inbound packet streams such that the maximum number of mbufs are enqueued on each reassembly queue can cause mbuf cluster exhaustion on the target system, resulting in a Denial of Service condition.
As the default per-VNET limit on the number of segments that can belong to reassembly queues is 1/16 of the total number of mbuf clusters in the system, only systems that have 16 or more VNET instances are vulnerable.
Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to run commands in addition to the desired SCCS or RCS commands.
This issue could be exploited to execute arbitrary commands as the user invoking patch(1) against a specially crafted patch file, which could be leveraged to obtain elevated privileges.
TCP connections transitioning to the LAST_ACK state can become permanently stuck due to mishandling of protocol state in certain situations, which in turn can lead to accumulated consumption and eventual exhaustion of system resources, such as mbufs and sockets.
An attacker who can repeatedly establish TCP connections to a victim system (for instance, a Web server) could create many TCP connections that are stuck in LAST_ACK state and cause resource exhaustion, resulting in a denial of service condition. This may also happen in normal operation where no intentional attack is conducted, but an attacker who can send specifically crafted packets can trigger this more reliably.
The Neighbor Discover Protocol allows a local router to advertise a suggested Current Hop Limit value of a link, which will replace Current Hop Limit on an interface connected to the link on the FreeBSD system.
When the Current Hop Limit (similar to IPv4's TTL) is small, IPv6 packets may get dropped before they reached their destinations.
By sending specifically crafted Router Advertisement packets, an attacker on the local network can cause the FreeBSD system to lose the ability to communicate with another IPv6 node on a different network.
The default permission set by bsdinstall(8) installer when configuring full disk encrypted ZFS is too open.
A local attacker may be able to get a copy of the geli(8) provider's keyfile which is located at a fixed location.
An integer overflow in computing the size of IGMPv3 data buffer can result in a buffer which is too small for the requested operation.
An attacker who can send specifically crafted IGMP packets could cause a denial of service situation by causing the kernel to crash.
The input validation of received SCTP RE_CONFIG chunks is insufficient, and can result in a NULL pointer deference later.
A remote attacker who can send a malformed SCTP packet to a FreeBSD system that serves SCTP can cause a kernel panic, resulting in a Denial of Service.
Due to insufficient validation of the SCTP stream ID, which serves as an array index, a local unprivileged attacker can read or write 16-bits of kernel memory.
An unprivileged process can read or modify 16-bits of memory which belongs to the kernel. This may lead to exposure of sensitive information or allow privilege escalation.
A programming error in the standard I/O library's __sflush() function could erroneously adjust the buffered stream's internal state even when no write actually occurred in the case when write(2) system call returns an error.
The accounting mismatch would accumulate, if the caller does not check for stream status and will eventually lead to a heap buffer overflow.
Such overflows may lead to data corruption or the execution of arbitrary code at the privilege level of the calling program.
A malicious HTTP server could cause ftp(1) to execute arbitrary commands.
When operating on HTTP URIs, the ftp(1) client follows HTTP redirects, and uses the part of the path after the last '/' from the last resource it accesses as the output filename if '-o' is not specified.
If the output file name provided by the server begins with a pipe ('|'), the output is passed to popen(3), which might be used to execute arbitrary commands on the ftp(1) client machine.
When setlogin(2) is called while setting up a new login session, the login name is copied into an uninitialized stack buffer, which is then copied into a buffer of the same size in the session structure. The getlogin(2) system call returns the entire buffer rather than just the portion occupied by the login name associated with the session.
An unprivileged user can access this memory by calling getlogin(2) and reading beyond the terminating NUL character of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD 9 and 10) bytes of kernel memory may be leaked in this manner for each invocation of setlogin(2).
This memory may contain sensitive information, such as portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges.
Although OpenSSH is not multithreaded, when OpenSSH is compiled with Kerberos support, the Heimdal libraries bring in the POSIX thread library as a dependency. Due to incorrect library ordering while linking sshd(8), symbols in the C library which are shadowed by the POSIX thread library may not be resolved correctly at run time.
Note that this problem is specific to the FreeBSD build system and does not affect other operating systems or the version of OpenSSH available from the FreeBSD ports tree.
An incorrectly linked sshd(8) child process may deadlock while handling an incoming connection. The connection may then time out or be interrupted by the client, leaving the deadlocked sshd(8) child process behind. Eventually, the sshd(8) parent process stops accepting new connections.
An attacker may take advantage of this by repeatedly connecting and then dropping the connection after having begun, but not completed, the authentication process.
The namei facility will leak a small amount of kernel memory every time a sandboxed process looks up a nonexistent path name.
A remote attacker that can cause a sandboxed process (for instance, a web server) to look up a large number of nonexistent path names can cause memory exhaustion.
The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network.
Upon receipt of a query from a source which is not on a directly connected network, routed(8) will trigger an assertion and terminate. The affected system's routing table will no longer be updated. If the affected system is a router, its routes will eventually expire from other routers' routing tables, and its networks will no longer be reachable unless they are also connected to another router.
Due to a missing length check in the code that handles DNS parameters, a malformed router advertisement message can result in a stack buffer overflow in rtsold(8).
Receipt of a router advertisement message with a malformed DNSSL option, for instance from a compromised host on the same network, can cause rtsold(8) to crash.
While it is theoretically possible to inject code into rtsold(8) through malformed router advertisement messages, it is normally compiled with stack protection enabled, rendering such an attack extremely difficult.
When rtsold(8) crashes, the existing DNS configuration will remain in force, and the kernel will continue to receive and process periodic router advertisements.
When a segment with the SYN flag for an already existing connection arrives, the TCP stack tears down the connection, bypassing a check that the sequence number in the segment is in the expected window.
An attacker who has the ability to spoof IP traffic can tear down a TCP connection by sending only 2 packets, if they know both TCP port numbers. In case one of the two port numbers is unknown, a successful attack requires less than 2**17 packets spoofed, which can be generated within less than a second on a decent connection to the Internet.
Buffer between control message header and data may not be completely initialized before being copied to userland. [CVE-2014-3952]
Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, have implicit padding that may not be completely initialized before being copied to userland. In addition, three SCTP notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and SCTP_AUTHENTICATION_EVENT, have padding in the returning data structure that may not be completely initialized before being copied to userland. [CVE-2014-3953]
An unprivileged local process may be able to retrieve portion of kernel memory.
For the generic control message, the process may be able to retrieve a maximum of 4 bytes of kernel memory.
For SCTP, the process may be able to retrieve 2 bytes of kernel memory for all three control messages, plus 92 bytes for SCTP_SNDRCV and 76 bytes for SCTP_EXTRCV. If the local process is permitted to receive SCTP notification, a maximum of 112 bytes of kernel memory may be returned to userland.
This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password.
A specifically crafted Composite Document File (CDF) file can trigger an out-of-bounds read or an invalid pointer dereference. [CVE-2012-1571]
A flaw in regular expression in the awk script detector makes use of multiple wildcards with unlimited repetitions. [CVE-2013-7345]
A malicious input file could trigger infinite recursion in libmagic(3). [CVE-2014-1943]
A specifically crafted Portable Executable (PE) can trigger out-of-bounds read. [CVE-2014-2270]
An attacker who can cause file(1) or any other applications using the libmagic(3) library to be run on a maliciously constructed input can the application to crash or consume excessive CPU resources, resulting in a denial-of-service.
A NULL pointer dereference in the initialization code of the HZ module and an out of bounds array access in the initialization code of the VIQR module make iconv_open(3) calls involving HZ or VIQR result in an application crash.
Services where an attacker can control the arguments of an iconv_open(3) call can be caused to crash resulting in a denial-of-service. For example, an email encoded in HZ may cause an email delivery service to crash if it converts emails to a more generic encoding like UTF-8 before applying filtering rules.
The OpenPAM library searches for policy definitions in several locations. While doing so, the absence of a policy file is a soft failure (handled by searching in the next location) while the presence of an invalid file is a hard failure (handled by returning an error to the caller).
The policy parser returns the same error code (ENOENT) when a syntactically valid policy references a non-existent module as when the requested policy file does not exist. The search loop regards this as a soft failure and looks for the next similarly-named policy, without discarding the partially-loaded configuration.
A similar issue can arise if a policy contains an include directive that refers to a non-existent policy.
If a module is removed, or the name of a module is misspelled in the policy file, the PAM library will proceed with a partially loaded configuration. Depending on the exact circumstances, this may result in a fail-open scenario where users are allowed to log in without a password, or with an incorrect password.
In particular, if a policy references a module installed by a package or port, and that package or port is being reinstalled or upgraded, there is a brief window of time during which the module is absent and policies that use it may fail open. This can be especially damaging to Internet-facing SSH servers, which are regularly subjected to brute-force scans.
Due to an overlooked merge to -STABLE branches, the size for page fault kernel trace entries was set incorrectly.
A user who can enable kernel process tracing could end up reading the contents of kernel memory.
Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password.
There is a programming error in sendmail(8) that prevented open file descriptors have close-on-exec properly set. Consequently a subprocess will be able to access all open files that the parent process have open.
A local user who can execute their own program for mail delivery will be able to interfere with an open SMTP connection.
FreeBSD may add a reassemble queue entry on the stack into the segment list when the reassembly queue reaches its limit. The memory from the stack is undefined after the function returns. Subsequent iterations of the reassembly function will attempt to access this entry.
An attacker who can send a series of specifically crafted packets with a connection could cause a denial of service situation by causing the kernel to crash.
Additionally, because the undefined on stack memory may be overwritten by other kernel threads, while extremely difficult, it may be possible for an attacker to construct a carefully crafted attack to obtain portion of kernel memory via a connected socket. This may result in the disclosure of sensitive information such as login credentials, etc. before or even without crashing the system.
The default devfs rulesets are not loaded on boot, even when jails are used. Device nodes will be created in the jail with their normal default access permissions, while most of them should be hidden and inaccessible.
Jailed processes can get access to restricted resources on the host system. For jailed processes running with superuser privileges this implies access to all devices on the system. This level of access could lead to information leakage and privilege escalation.
The kernel holds a lock over the source directory vnode while trying to convert the target directory file handle to a vnode, which needs to be returned with the lock held, too. This order may be in violation of normal lock order, which in conjunction with other threads that grab locks in the right order, constitutes a deadlock condition because no thread can proceed.
An attacker on a trusted client could cause the NFS server become deadlocked, resulting in a denial of service.
Problem Description:
The bsnmpd(8) daemon is prone to a stack-based buffer-overflow when it has received a specifically crafted GETBULK PDU request.
Impact:
This issue could be exploited to execute arbitrary code in the context of the service daemon, or crash the service daemon, causing a denial-of-service.
PostgreSQL project reports:
Security Fixes nested CASE expressions + database and role names with embedded special characters
- CVE-2016-5423: certain nested CASE expressions can cause the server to crash.
- CVE-2016-5424: database and role names with embedded special characters can allow code injection during administrative operations like pg_dumpall.
Piwik reports:
We have identified and fixed several XSS security issues in this release.
ISC reports:
DNS protocols were designed with the assumption that a certain amount of trust could be presumed between the operators of primary and secondary servers for a given zone. However, in current practice some organizations have scenarios which require them to accept zone data from sources that are not fully trusted (for example: providers of secondary name service). A party who is allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS updates) can overwhelm the server which is accepting data by intentionally or accidentally exhausting that server's memory.
Problem Description:
When initializing the SCTP state cookie being sent in INIT-ACK chunks, a buffer allocated from the kernel stack is not completely initialized.
Impact:
Fragments of kernel memory may be included in SCTP packets and transmitted over the network. For each SCTP session, there are two separate instances in which a 4-byte fragment may be transmitted.
This memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password.
Problem Description:
An integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation.
Impact:
An unprivileged process can read or write pages of memory which belong to the kernel. These may lead to exposure of sensitive information or allow privilege escalation.
Problem Description:
The kernel incorrectly uses client supplied credentials instead of the one configured in exports(5) when filling out the anonymous credential for a NFS export, when -network or -host restrictions are used at the same time.
Impact:
The remote client may supply privileged credentials (e.g. the root user) when accessing a file under the NFS share, which will bypass the normal access checks.
The collectd Project reports:
Emilien Gaspar has identified a heap overflow in collectd's network plugin which can be triggered remotely and is potentially exploitable.
Marina Glancy reports:
MSA-16-0019: Glossary search displays entries without checking user permissions to view them
MSA-16-0020: Text injection in email headers
MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course
ISC reports:
A query name which is too long can cause a segmentation fault in lwresd.
Wireshark development team reports:
The following vulnerabilities have been fixed:
wnpa-sec-2016-41
PacketBB crash. (Bug 12577)
wnpa-sec-2016-42
WSP infinite loop. (Bug 12594)
wnpa-sec-2016-44
RLC long loop. (Bug 12660)
wnpa-sec-2016-45
LDSS dissector crash. (Bug 12662)
wnpa-sec-2016-46
RLC dissector crash. (Bug 12664)
wnpa-sec-2016-47
OpenFlow long loop. (Bug 12659)
wnpa-sec-2016-48
MMSE, WAP, WBXML, and WSP infinite loop. (Bug 12661)
wnpa-sec-2016-49
WBXML crash. (Bug 12663)
Jakub Wilk reports:
XSLoader tries to load code from a subdirectory in the cwd when called inside a string eval
Sawyer X reports:
Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.
Pierre Joye reports:
fix php bug 72339, Integer Overflow in _gd2GetHeader (CVE-2016-5766)
gd: Buffer over-read issue when parsing crafted TGA file (CVE-2016-6132)
Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207)
fix php bug 72494, invalid color index not handled, can lead to crash ( CVE-2016-6128)
Curl security team reports:
CVE-2016-5419 - TLS session resumption client cert bypass
CVE-2016-5420 - Re-using connections with wrong client cert
CVE-2016-5421 - use of connection struct after free
Lighttpd Project reports:
Security fixes for Lighttpd:
security: encode quoting chars in HTML and XML
security: ensure gid != 0 if server.username is set, but not server.groupname
security: disable stat_cache if server.follow-symlink = “disable”
security: httpoxy defense: do not emit HTTP_PROXY to CGI env
The Xen Project reports:
A guest can submit virtio requests without bothering to wait for completion and is therefore not bound by virtqueue size...
A malicious guest administrator can cause unbounded memory allocation in QEMU, which can cause an Out-of-Memory condition in the domain running qemu. Thus, a malicious guest administrator can cause a denial of service affecting the whole host.
The Xen Project reports:
Supervisor Mode Access Prevention is a hardware feature designed to make an Operating System more robust, by raising a pagefault rather than accidentally following a pointer into userspace. However, legitimate accesses into userspace require whitelisting, and the exception delivery mechanism for 32bit PV guests wasn't whitelisted.
A malicious 32-bit PV guest kernel can trigger a safety check, crashing the hypervisor and causing a denial of service to other VMs on the host.
The Xen Project reports:
The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only Access/Dirty bits). The bits considered safe were too broad, and not actually safe.
A malicious PV guest administrator can escalate their privilege to that of the host.
Simon Josefsson reports:
libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.
idn: Solve out-of-bounds-read when reading one zero byte as input. Also replaced fgets with getline.
libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8. It was always documented to only accept UTF-8 data, but now it doesn't crash when presented with such data.
The GIMP team reports:
A Use-after-free vulnerability was found in the xcf_load_image function.
Apache reports:
The Xerces-C XML parser fails to successfully parse a DTD that is deeply nested, and this causes a stack overflow, which makes a denial of service attack against many applications possible by an unauthenticated attacker.
Also, CVE-2016-2099: Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier allows context-dependent attackers to have unspecified impact via an invalid character in an XML document.
PHP reports:
Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)
Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()).
Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).
Fixed bug #72519 (imagegif/output out-of-bounds access).
Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener).
Fixed bug #72533 (locale_accept_from_http out-of-bounds access).
Fixed bug #72541 (size_t overflow lead to heap corruption).
Fixed bug #72551, bug #72552 (Incorrect casting from size_t to int lead to heap overflow in mdecrypt_generic).
Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).
Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications).
Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).
Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).
Fixed bug #72613 (Inadequate error handling in bzread()).
Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).
Google Chrome Releases reports:
48 security fixes in this release, including:
- [610600] High CVE-2016-1706: Sandbox escape in PPAPI. Credit to Pinkie Pie xisigr of Tencent's Xuanwu Lab
- [613949] High CVE-2016-1708: Use-after-free in Extensions. Credit to Adam Varsan
- [614934] High CVE-2016-1709: Heap-buffer-overflow in sfntly. Credit to ChenQin of Topsec Security Team
- [616907] High CVE-2016-1710: Same-origin bypass in Blink. Credit to Mariusz Mlynski
- [617495] High CVE-2016-1711: Same-origin bypass in Blink. Credit to Mariusz Mlynski
- [618237] High CVE-2016-5127: Use-after-free in Blink. Credit to cloudfuzzer
- [619166] High CVE-2016-5128: Same-origin bypass in V8. Credit to Anonymous
- [620553] High CVE-2016-5129: Memory corruption in V8. Credit to Jeonghoon Shin
- [623319] High CVE-2016-5130: URL spoofing. Credit to Wadih Matar
- [623378] High CVE-2016-5131: Use-after-free in libxml. Credit to Nick Wellnhofer
- [607543] Medium CVE-2016-5132: Limited same-origin bypass in Service Workers. Credit to Ben Kelly
- [613626] Medium CVE-2016-5133: Origin confusion in proxy authentication. Credit to Patch Eudor
- [593759] Medium CVE-2016-5134: URL leakage via PAC script. Credit to Paul Stone
- [605451] Medium CVE-2016-5135: Content-Security-Policy bypass. Credit to kingxwy
- [625393] Medium CVE-2016-5136: Use after free in extensions. Credit to Rob Wu
- [625945] Medium CVE-2016-5137: History sniffing with HSTS and CSP. Credit to Xiaoyin Liu
- [629852] CVE-2016-1705: Various fixes from internal audits, fuzzing and other initiatives.
Major changes in krb5 1.14.3 and krb5 1.13.6:
Fix a rare KDC denial of service vulnerability when anonymous client principals are restricted to obtaining TGTs only [CVE-2016-3120] .
The Apache OpenOffice Project reports:
An OpenDocument Presentation .ODP or Presentation Template .OTP file can contain invalid presentation elements that lead to memory corruption when the document is loaded in Apache OpenOffice Impress. The defect may cause the document to appear as corrupted and OpenOffice may crash in a recovery-stuck mode requiring manual intervention. A crafted exploitation of the defect can allow an attacker to cause denial of service (memory corruption and application crash) and possible execution of arbitrary code.
Oracle reports:
The quarterly Critical Patch Update contains 22 new security fixes for Oracle MySQL 5.5.49, 5.6.30, 5.7.13 and earlier
TYPO3 reports:
Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on the action that an attacker is able to execute.
ATutor reports:
Security Fixes: Added a new layer of security over all php superglobals, fixed several XSS, CSRF, and SQL injection vulnerabilities.
ATutor reports:
Security Fixes: A number of minor XSS vulnerabilities discovered in the previous version of ATutor have been corrected.
Adobe reports:
These updates resolve a race condition vulnerability that could lead to information disclosure (CVE-2016-4247).
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-4223, CVE-2016-4224, CVE-2016-4225).
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222, CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4248).
These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-4249).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4172, CVE-2016-4175, CVE-2016-4179, CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183, CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221, CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, CVE-2016-4245, CVE-2016-4246).
These updates resolve a memory leak vulnerability (CVE-2016-4232).
These updates resolve stack corruption vulnerabilities that could lead to code execution (CVE-2016-4176, CVE-2016-4177).
These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2016-4178).
Talos reports:
An exploitable Use After Free vulnerability exists in the RTF parser LibreOffice. A specially crafted file can cause a use after free resulting in a possible arbitrary code execution. To exploit the vulnerability a malicious file needs to be opened by the user via vulnerable application.
Mathias Svensson reports:
potential buffer write overrun in PixarLogDecode() on corrupted/unexpected images
Cisco Talos reports:
An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files.
Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map’s object vector and the "PartitionRef" field from the Long Allocation Descriptor. Lack of checking whether the "PartitionRef" field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.
Cisco Talos reports:
An exploitable heap overflow vulnerability exists in the NArchive::NHfs::CHandler::ExtractZlibFile method functionality of 7zip that can lead to arbitrary code execution.
Samba team reports:
A man in the middle attack can disable client signing over SMB2/3, even if enforced by configuration parameters.
RubySec reports:
ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack in the specific scenario where there was a signature that referenced at the same time 2 elements (but past the scheme validator process since 1 of the element was inside the encrypted assertion).
ruby-saml users must update to 1.3.0, which implements 3 extra validations to mitigate this kind of attack.
Mitre reports:
The onReadyRead function in core/coreauthhandler.cpp in Quassel before 0.12.4 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via invalid handshake data.
Apache Software Foundation reports:
The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509 client certificate correctly when experimental module for the HTTP/2 protocol is used to access a resource.
The net result is that a resource that should require a valid client certificate in order to get access can be accessed without that credential.
The Xen Project reports:
When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen. This output is not rate-limited in any way. The guest can easily cause qemu to print messages to stderr, causing this file to become arbitrarily large.
The disk containing the logfile can be exhausted, possibly causing a denial-of-service (DoS).
The Xen Project reports:
Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations.
Qemu VGA module allows guest to edit certain registers in 'vbe' and 'vga' modes.
A privileged guest user could use CVE-2016-3710 to exceed the bank address window and write beyond the said memory area, potentially leading to arbitrary code execution with privileges of the Qemu process. If the system is not using stubdomains, this will be in domain 0.
A privileged guest user could use CVE-2016-3712 to cause potential integer overflow or OOB read access issues in Qemu, resulting in a DoS of the guest itself. More dangerous effect, such as data leakage or code execution, are not known but cannot be ruled out.
The Xen Project reports:
libxl's device-handling code freely uses and trusts information from the backend directories in xenstore.
A malicious driver domain can deny service to management tools.
The Xen Project reports:
The Page Size (PS) page table entry bit exists at all page table levels other than L1. Its meaning is reserved in L4, and conditionally reserved in L3 and L2 (depending on hardware capabilities). The software page table walker in the hypervisor, however, so far ignored that bit in L4 and (on respective hardware) L3 entries, resulting in pages to be treated as page tables which the guest OS may not have designated as such. If the page in question is writable by an unprivileged user, then that user will be able to map arbitrary guest memory.
On vulnerable OSes, guest user mode code may be able to establish mappings of arbitrary memory inside the guest, allowing it to elevate its privileges inside the guest.
The Xen Project reports:
Various parts of libxl device-handling code inappropriately use information from (partially) guest controlled areas of xenstore.
A malicious guest administrator can cause denial of service by resource exhaustion.
A malicious guest administrator can confuse and/or deny service to management facilities.
A malicious guest administrator of a guest configured with channel devices may be able to escalate their privilege to that of the backend domain (i.e., normally, to that of the host).
The Xen Project reports:
In the x86 shadow pagetable code, the guest frame number of a superpage mapping is stored in a 32-bit field. If a shadowed guest can cause a superpage mapping of a guest-physical address at or above 2^44 to be shadowed, the top bits of the address will be lost, causing an assertion failure or NULL dereference later on, in code that removes the shadow.
A HVM guest using shadow pagetables can cause the host to crash.
A PV guest using shadow pagetables (i.e. being migrated) with PV superpages enabled (which is not the default) can crash the host, or corrupt hypervisor memory, and so a privilege escalation cannot be ruled out.
Wireshark development team reports:
The following vulnerabilities have been fixed:
wnpa-sec-2016-29
The SPOOLS dissector could go into an infinite loop. Discovered by the CESG.
wnpa-sec-2016-30
The IEEE 802.11 dissector could crash. (Bug 11585)
wnpa-sec-2016-31
The IEEE 802.11 dissector could crash. Discovered by Mateusz Jurczyk. (Bug 12175)
wnpa-sec-2016-32
The UMTS FP dissector could crash. (Bug 12191)
wnpa-sec-2016-33
Some USB dissectors could crash. Discovered by Mateusz Jurczyk. (Bug 12356)
wnpa-sec-2016-34
The Toshiba file parser could crash. Discovered by iDefense Labs. (Bug 12394)
wnpa-sec-2016-35
The CoSine file parser could crash. Discovered by iDefense Labs. (Bug 12395)
wnpa-sec-2016-36
The NetScreen file parser could crash. Discovered by iDefense Labs. (Bug 12396)
wnpa-sec-2016-37
The Ethernet dissector could crash. (Bug 12440)
Marina Glancy reports:
MSA-16-0013: Users are able to change profile fields that were locked by the administrator.
MSA-16-0015: Information disclosure of hidden forum names and sub-names.
MSA-16-0016: User can view badges of other users without proper permissions.
MSA-16-0017: Course idnumber not protected from teacher restore.
MSA-16-0018: CSRF in script marking forum posts as read.
Eric Lippmann reports:
Possibility of remote code execution via the remote command transport.
Sushanth Sowmyan reports:
Some partition-level operations exist that do not explicitly also authorize privileges of the parent table. This can lead to issues when the parent table would have denied the operation, but no denial occurs because the partition-level privilege is not checked by the authorization framework, which defines authorization entities only from the table level upwards.
KoreLogic security reports:
Affected versions of SQLite reject potential tempdir locations if they are not readable, falling back to '.'. Thus, SQLite will favor e.g. using cwd for tempfiles on such a system, even if cwd is an unsafe location. Notably, SQLite also checks the permissions of '.', but ignores the results of that check.
Red Hat reports:
A vulnerability in smtplib allowing MITM attacker to perform a startTLS stripping attack. smtplib does not seem to raise an exception when the remote end (smtp server) is capable of negotiating starttls but fails to respond with 220 (ok) to an explicit call of SMTP.starttls(). This may allow a malicious MITM to perform a startTLS stripping attack if the client code does not explicitly check the response code for startTLS.
Please reference CVE/URL list for details
HAproxy reports:
HAproxy 1.6.x before 1.6.6, when a deny comes from a reqdeny rule, allows remote attackers to cause a denial of service (uninitialized memory access and crash) or possibly have unspecified other impact via unknown vectors.
Brandon Perry reports:
The parse_chunk_header function in libtorrent before 1.1.1 allows remote attackers to cause a denial of service (crash) via a crafted (1) HTTP response or possibly a (2) UPnP broadcast.
Adam Maris reports:
It was found that original patch for issues CVE-2015-1283 and CVE-2015-2716 used overflow checks that could be optimized out by some compilers applying certain optimization settings, which can cause the vulnerability to remain even after applying the patch.
reports:
Dnsmasq before 2.76 allows remote servers to cause a denial of service (crash) via a reply with an empty DNS address that has an (1) A or (2) AAAA record defined locally.
Guido Vranken reports:
HTTP header injection in urrlib2/urllib/httplib/http.client with newlines in header values, where newlines have a semantic consequence of denoting the start of an additional header line.
Mitre reports:
OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
Mark Thomas reports:
CVE-2016-3092 is a denial of service vulnerability that has been corrected in the Apache Commons FileUpload component. It occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file. This caused the file upload process to take several orders of magnitude longer than if the boundary length was the typical tens of bytes.
Adam Silverstein reports:
WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.5.2 and earlier are affected by several security issues: redirect bypass in the customizer, reported by Yassine Aboukir; two different XSS problems via attachment names, reported by Jouko Pynnönenand Divyesh Prajapati; revision history information disclosure, reported independently by John Blackbourn from the WordPress security team and by Dan Moen from the Wordfence Research Team; oEmbed denial of service reported by Jennifer Dodd from Automattic; unauthorized category removal from a post, reported by David Herrera from Alley Interactive; password change via stolen cookie, reported by Michael Adams from the WordPress security team; and some less secure sanitize_file_name edge cases reported by Peter Westwood of the WordPress security team.
The PHP Group reports:
Please reference CVE/URL list for details
Hanno Bock and Cisco Talos report:
Out of bounds heap read in RAR parser
Signed integer overflow in ISO parser
TALOS-2016-0152 [CVE-2016-4300]: 7-Zip read_SubStreamsInfo Integer Overflow
TALOS-2016-0153 [CVE-2016-4301]: mtree parse_device Stack Based Buffer Overflow
TALOS-2016-0154 [CVE-2016-4302]: Libarchive Rar RestartModel Heap Overflow
Piwik reports:
The Piwik Security team is grateful for the responsible disclosures by our security researchers: Egidio Romano (granted a critical security bounty), James Kettle and Paweł Bartunek (XSS) and Emanuel Bronshtein (limited XSS).
Giuseppe Scrivano reports:
On a server redirect from HTTP to a FTP resource, wget would trust the HTTP server and uses the name in the redirected URL as the destination filename.
Google reports:
- [583156] Medium CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire.
- [583171] Medium CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire.
Adobe reports:
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-4144, CVE-2016-4149).
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-4142, CVE-2016-4143, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148).
These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2016-4135, CVE-2016-4136, CVE-2016-4138).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4137, CVE-2016-4141, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171).
These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4140).
These updates resolve a vulnerability that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2016-4139).
Adobe reports:
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-1105, CVE-2016-4117).
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110, CVE-2016-4121).
These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-1101).
These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2016-1103).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161, CVE-2016-4162, CVE-2016-4163).
These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4116).
Adobe reports:
These updates harden a mitigation against JIT spraying attacks that could be used to bypass memory layout randomization mitigations (CVE-2016-1006).
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-1015, CVE-2016-1019).
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, CVE-2016-1031).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033).
These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2016-1018).
These updates resolve a security bypass vulnerability (CVE-2016-1030).
These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-1014).
Google Chrome Releases reports:
3 security fixes in this release, including:
- [620742] CVE-2016-1704: Various fixes from internal audits, fuzzing and other initiatives.
Python reports:
Possible integer overflow and heap corruption in zipimporter.get_data()
Drupal Security Team reports:
Saving user accounts can sometimes grant the user all roles (User module - Drupal 7 - Moderately Critical)
Views can allow unauthorized users to see Statistics information (Views module - Drupal 8 - Less Critical)
Jack Lloyd reports:
Botan 1.10.13 has been released backporting some side channel protections for ECDSA signatures (CVE-2016-2849) and PKCS #1 RSA decryption (CVE-2015-7827).
MITRE reports:
The Miller-Rabin primality check in Botan before 1.10.8 and 1.11.x before 1.11.9 improperly uses a single random base, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a DH group.
The VLC project reports:
Fix out-of-bound write in adpcm QT IMA codec (CVE-2016-5108)
Roundcube reports:
Fix XSS issue in href attribute on area tag (#5240).
The OpenSSL team reports:
Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key.
Sebastian Pipping reports:
CVE-2012-6702 -- Resolve troublesome internal call to srand that was introduced with Expat 2.1.0 when addressing CVE-2012-0876 (issue #496)
CVE-2016-5300 -- Use more entropy for hash initialization than the original fix to CVE-2012-0876.
ESnet reports:
A malicious process can connect to an iperf3 server and, by sending a malformed message on the control channel, corrupt the server process's heap area. This can lead to a crash (and a denial of service), or theoretically a remote code execution as the user running the iperf3 server. A malicious iperf3 server could potentially mount a similar attack on an iperf3 client.
gnutls.org reports:
Setuid programs using GnuTLS 3.4.12 could potentially allow an attacker to overwrite and corrupt arbitrary files in the filesystem.
Mozilla Foundation reports:
Mozilla has updated the version of Network Security Services (NSS) library used in Firefox to NSS 3.23. This addresses four moderate rated networking security issues reported by Mozilla engineers Tyson Smith and Jed Davis.
Mozilla Foundation reports:
MFSA 2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
MFSA 2016-50 Buffer overflow parsing HTML5 fragments
MFSA 2016-51 Use-after-free deleting tables from a contenteditable document
MFSA 2016-52 Addressbar spoofing though the SELECT element
MFSA 2016-54 Partial same-origin-policy through setting location.host through data URI
MFSA 2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction
MFSA 2016-57 Incorrect icon displayed on permissions notifications
MFSA 2016-58 Entering fullscreen and persistent pointerlock without user permission
MFSA 2016-59 Information disclosure of disabled plugins through CSS pseudo-classes
MFSA 2016-60 Java applets bypass CSP protections
Google Chrome Releases reports:
15 security fixes in this release, including:
- 601073] High CVE-2016-1696: Cross-origin bypass in Extension bindings. Credit to anonymous.
- [613266] High CVE-2016-1697: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
- [603725] Medium CVE-2016-1698: Information leak in Extension bindings. Credit to Rob Wu.
- [607939] Medium CVE-2016-1699: Parameter sanitization failure in DevTools. Credit to Gregory Panakkal.
- [608104] Medium CVE-2016-1700: Use-after-free in Extensions. Credit to Rob Wu.
- [608101] Medium CVE-2016-1701: Use-after-free in Autofill. Credit to Rob Wu.
- [609260] Medium CVE-2016-1702: Out-of-bounds read in Skia. Credit to cloudfuzzer.
- [616539] CVE-2016-1703: Various fixes from internal audits, fuzzing and other initiatives.
The OpenAFS development team reports:
Foreign users can bypass access controls to create groups as system:administrators, including in the user namespace and the system: namespace.
The contents of uninitialized memory are sent on the wire when clients perform certain RPCs. Depending on the RPC, the information leaked may come from kernel memory or userspace.
The OpenAFS development team reports:
Avoid a potential denial of service issue, by fixing a bug in pioctl logic that allowed a local user to overrun a kernel buffer with a single NUL byte.
Mitre reports:
Cross-site scripting (XSS) vulnerability in the cgierror function in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message.
Tim Newsha reports:
When H2O tries to disconnect a premature HTTP/2 connection, it calls free(3) to release memory allocated for the connection and immediately after then touches the memory. No malloc-related operation is performed by the same thread between the time it calls free and the time the memory is touched. Fixed by Frederik Deweerdt.
Maxim Dounin reports:
A problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file.
The Cacti Group, Inc. reports:
Changelog
- bug:0002667: Cacti SQL Injection Vulnerability
- bug:0002673: CVE-2016-3659 - Cacti graph_view.php SQL Injection Vulnerability
- bug:0002656: Authentication using web authentication as a user not in the cacti database allows complete access (regression)
Open vSwitch reports:
Multiple versions of Open vSwitch are vulnerable to remote buffer overflow attacks, in which crafted MPLS packets could overflow the buffer reserved for MPLS labels in an OVS internal data structure. The MPLS packets that trigger the vulnerability and the potential for exploitation vary depending on version:
Open vSwitch 2.1.x and earlier are not vulnerable.
In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be exploited for arbitrary remote code execution.
In Open vSwitch 2.4.x, the MPLS buffer overflow does not obviously lead to a remote code execution exploit, but testing shows that it can allow a remote denial of service. See the mitigation section for details.
Open vSwitch 2.5.x is not vulnerable.
Google Chrome Releases reports:
42 security fixes in this release
Please reference CVE/URL list for details
Google Chrome Releases reports:
5 security fixes in this release, including:
- [605766] High CVE-2016-1667: Same origin bypass in DOM. Credit to Mariusz Mlynski.
- [605910] High CVE-2016-1668: Same origin bypass in Blink V8 bindings. Credit to Mariusz Mlynski.
- [606115] High CVE-2016-1669: Buffer overflow in V8. Credit to Choongwoo Han.
- [578882] Medium CVE-2016-1670: Race condition in loader. Credit to anonymous.
- [586657] Medium CVE-2016-1671: Directory traversal using the file scheme on Android. Credit to Jann Horn.
Google Chrome Releases reports:
9 security fixes in this release, including:
- [574802] High CVE-2016-1660: Out-of-bounds write in Blink. Credit to Atte Kettunen of OUSPG.
- [601629] High CVE-2016-1661: Memory corruption in cross-process frames. Credit to Wadih Matar.
- [603732] High CVE-2016-1662: Use-after-free in extensions. Credit to Rob Wu.
- [603987] High CVE-2016-1663: Use-after-free in Blink's V8 bindings. Credit to anonymous.
- [597322] Medium CVE-2016-1664: Address bar spoofing. Credit to Wadih Matar.
- [606181] Medium CVE-2016-1665: Information leak in V8. Credit to HyungSeok Han.
- [607652] CVE-2016-1666: Various fixes from internal audits, fuzzing and other initiatives.
The PHP Group reports:
- Core:
- Fixed bug #72114 (Integer underflow / arbitrary null write in fread/gzread). (CVE-2016-5096) (PHP 5.5/5.6 only)
- Fixed bug #72135 (Integer Overflow in php_html_entities). (CVE-2016-5094) (PHP 5.5/5.6 only)
- GD:
- Fixed bug #72227 (imagescale out-of-bounds read). (CVE-2013-7456)
- Intl:
- Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (CVE-2016-5093)
- Phar:
- Fixed bug #71331 (Uninitialized pointer in phar_make_dirstream()). (CVE-2016-4343) (PHP 5.5 only)
The phpmyadmin development team reports:
Description
Because user SQL queries are part of the URL, sensitive information made as part of a user query can be exposed by clicking on external links to attackers monitoring user GET query parameters or included in the webserver logs.
Severity
We consider this to be non-critical.
Description
A specially crafted attack could allow for special HTML characters to be passed as URL encoded values and displayed back as special characters in the page.
Severity
We consider this to be non-critical.
Mediawiki reports:
Security fixes:
T122056: Old tokens are remaining valid within a new session
T127114: Login throttle can be tricked using non-canonicalized usernames
T123653: Cross-domain policy regexp is too narrow
T123071: Incorrectly identifying http link in a's href attributes, due to m modifier in regex
T129506: MediaWiki:Gadget-popups.js isn't renderable
T125283: Users occasionally logged in as different users after SessionManager deployment
T103239: Patrol allows click catching and patrolling of any page
T122807: [tracking] Check php crypto primatives
T98313: Graphs can leak tokens, leading to CSRF
T130947: Diff generation should use PoolCounter
T133507: Careless use of $wgExternalLinkTarget is insecure
T132874: API action=move is not rate limited
Jouni Malinen reports:
psk configuration parameter update allowing arbitrary data to be written (2016-1 - CVE-2016-4476/CVE-2016-4477).
Gustavo Grieco reports:
The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.
Bugzilla Security Advisory
A specially crafted bug summary could trigger XSS in dependency graphs. Due to an incorrect parsing of the image map generated by the dot script, a specially crafted bug summary could trigger XSS in dependency graphs.
Samuli Seppänen reports:
OpenVPN 2.3.11 [...] fixes two vulnerabilities: a port-share bug with DoS potential and a buffer overflow by user supplied data when using pam authentication.[...]
ImageMagick reports:
Fix a buffer overflow in magick/drag.c/DrawStrokePolygon().
Jenkins Security Advisory:
Description
SECURITY-170 / CVE-2016-3721
Arbitrary build parameters are passed to build scripts as environment variables
SECURITY-243 / CVE-2016-3722
Malicious users with multiple user accounts can prevent other users from logging in
SECURITY-250 / CVE-2016-3723
Information on installed plugins exposed via API
SECURITY-266 / CVE-2016-3724
Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration
SECURITY-273 / CVE-2016-3725
Regular users can trigger download of update site metadata
SECURITY-276 / CVE-2016-3726
Open redirect to scheme-relative URLs
SECURITY-281 / CVE-2016-3727
Granting the permission to read node configurations allows access to overall system configuration
MITRE reports:
Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.
Helen Hou-Sandi reports:
WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.
The libarchive project reports:
Heap-based buffer overflow in the zip_read_mac_metadata function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to execute arbitrary code via crafted entry-size values in a ZIP archive.
The squid development team reports:
Please reference CVE/URL list for details
Openwall reports:
Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats. Any service which uses ImageMagick to process user supplied images and uses default delegates.xml / policy.xml, may be vulnerable to this issue.
It is possible to make ImageMagick perform a HTTP GET or FTP request
It is possible to delete files by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading.
It is possible to move image files to file with any extension in any folder by using ImageMagick's 'msl' pseudo protocol. msl.txt and image.gif should exist in known location - /tmp/ for PoC (in real life it may be web service written in PHP, which allows to upload raw txt files and process images with ImageMagick).
It is possible to get content of the files from the server by using ImageMagick's 'label' pseudo protocol.
QuickFuzz reports:
A crash caused by stack exhaustion parsing a JSON was found.
OpenSSL reports:
Memory corruption in the ASN.1 encoder
Padding oracle in AES-NI CBC MAC check
EVP_EncodeUpdate overflow
EVP_EncryptUpdate overflow
ASN.1 BIO excessive memory allocation
EBCDIC overread (OpenSSL only)
GitLab reports:
During an internal code review, we discovered a critical security flaw in the "impersonate" feature of GitLab. Added in GitLab 8.2, this feature was intended to allow an administrator to simulate being logged in as any other user.
A part of this feature was not properly secured and it was possible for any authenticated user, administrator or not, to "log in" as any other user, including administrators. Please see the issue for more details.
The PHP Group reports:
- BCMath:
- Fixed bug #72093 (bcpowmod accepts negative scale and corrupts _one_ definition).
- Exif:
- Fixed bug #72094 (Out of bounds heap read access in exif header processing).
- GD:
- Fixed bug #71912 (libgd: signedness vulnerability). (CVE-2016-3074)
- Intl:
- Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative offset).
- XML:
- Fixed bug #72099 (xml_parse_into_struct segmentation fault).
Martin Prpic, Red Hat Product Security Team, reports:
Denial of Service due to stack overflow in src/ber-decoder.c.
Integer overflow in the BER decoder src/ber-decoder.c.
Integer overflow in the DN decoder src/dn.c.
Wireshark development team reports:
The following vulnerabilities have been fixed:
wnpa-sec-2016-19
The NCP dissector could crash. (Bug 11591)
wnpa-sec-2016-20
TShark could crash due to a packet reassembly bug. (Bug 11799)
wnpa-sec-2016-21
The IEEE 802.11 dissector could crash. (Bug 11824, Bug 12187)
wnpa-sec-2016-22
The PKTC dissector could crash. (Bug 12206)
wnpa-sec-2016-23
The PKTC dissector could crash. (Bug 12242)
wnpa-sec-2016-24
The IAX2 dissector could go into an infinite loop. (Bug 12260)
wnpa-sec-2016-25
Wireshark and TShark could exhaust the stack. (Bug 12268)
wnpa-sec-2016-26
The GSM CBCH dissector could crash. (Bug 12278)
wnpa-sec-2016-27
MS-WSP dissector crash. (Bug 12341)
Mercurial reports:
CVE-2016-3105: Arbitrary code execution when converting Git repos
Oracle reports reports:
Critical Patch Update contains 31 new security fixes for Oracle MySQL 5.5.48, 5.6.29, 5.7.11 and earlier
Logstash developers report:
Passwords Printed in Log Files under Some Conditions
It was discovered that, in Logstash 2.1.0+, log messages generated by a stalled pipeline during shutdown will print plaintext contents of password fields. While investigating this issue we also discovered that debug logging has included this data for quite some time. Our latest releases fix both leaks. You will want to scrub old log files if this is of particular concern to you. This was fixed in issue #4965
Subversion project reports:
svnserve, the svn:// protocol server, can optionally use the Cyrus SASL library for authentication, integrity protection, and encryption. Due to a programming oversight, authentication against Cyrus SASL would permit the remote user to specify a realm string which is a prefix of the expected realm string.
Subversion's httpd servers are vulnerable to a remotely triggerable crash in the mod_authz_svn module. The crash can occur during an authorization check for a COPY or MOVE request with a specially crafted header value.
This allows remote attackers to cause a denial of service.
Network Time Foundation reports:
NTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p7, released on Tuesday, 26 April 2016:
- Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering. Reported by Matt Street and others of Cisco ASIG
- Bug 3012 / CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY. Reported by Matthew Van Gundy of Cisco ASIG
- Bug 3011 / CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
- Bug 3010 / CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
- Bug 3009 / CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
- Bug 3008 / CVE-2016-2519: ctl_getitem() return value not always checked. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
- Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos. Reported by Stephen Gray and Matthew Van Gundy of Cisco ASIG
- Bug 2978 / CVE-2016-1548: Interleave-pivot - MITIGATION ONLY. Reported by Miroslav Lichvar of RedHat and separately by Jonathan Gardner of Cisco ASIG.
- Bug 2952 / CVE-2015-7704: KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken. Reported by Michael Tatarinov, NTP Project Developer Volunteer
- Bug 2945 / Bug 2901 / CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks. Reported by Jonathan Gardner of Cisco ASIG
- Bug 2879 / CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing. Reported independently by Loganaden Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
Mozilla Foundation reports:
MFSA 2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)
MFSA 2016-42 Use-after-free and buffer overflow in Service Workers
MFSA 2016-44 Buffer overflow in libstagefright with CENC offsets
MFSA 2016-45 CSP not applied to pages sent with multipart/x-mixed-replace
MFSA 2016-46 Elevation of privilege with chrome.tabs.update API in web extensions
MFSA 2016-47 Write to invalid HashMap entry through JavaScript.watch()
MFSA 2016-48 Firefox Health Reports could accept events from untrusted domains
The phpMyFAQ team reports:
The vulnerability exists due to application does not properly verify origin of HTTP requests in "Interface Translation" functionality.: A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request, as if it was coming from the legitimate user, inject and execute arbitrary PHP code on the target system with privileges of the webserver.
GNU Libtasn1 NEWS reports:
Fixes to avoid an infinite recursion when decoding without the ASN1_DECODE_FLAG_STRICT_DER flag. Reported by Pascal Cuoq.
Squid security advisory 2016:5 reports:
Due to incorrect buffer management Squid cachemgr.cgi tool is vulnerable to a buffer overflow when processing remotely supplied inputs relayed to it from Squid.
This problem allows any client to seed the Squid manager reports with data that will cause a buffer overflow when processed by the cachemgr.cgi tool. However, this does require manual administrator actions to take place. Which greatly reduces the impact and possible uses.
Squid security advisory 2016:6 reports:
Due to buffer overflow issues Squid is vulnerable to a denial of service attack when processing ESI responses. Due to incorrect input validation Squid is vulnerable to public information disclosure of the server stack layout when processing ESI responses. Due to incorrect input validation and buffer overflow Squid is vulnerable to remote code execution when processing ESI responses.
These problems allow ESI components to be used to perform a denial of service attack on the Squid service and all other services on the same machine. Under certain build conditions these problems allow remote clients to view large sections of the server memory. However, the bugs are exploitable only if you have built and configured the ESI features to be used by a reverse-proxy and if the ESI components being processed by Squid can be controlled by an attacker.
Ansible developers report:
CVE-2016-3096: do not use predictable paths in lxc_container
- do not use a predictable filename for the LXC attach script
- don't use predictable filenames for LXC attach script logging
- don't set a predictable archive_path
this should prevent symlink attacks which could result in
- data corruption
- data leakage
- privilege escalation
MITRE reports:
The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 does not properly handle the TLSDHParamFile directive, which might cause a weaker than intended Diffie-Hellman (DH) key to be used and consequently allow attackers to have unspecified impact via unknown vectors.
Google Chrome Releases reports:
20 security fixes in this release, including:
- [590275] High CVE-2016-1652: Universal XSS in extension bindings. Credit to anonymous.
- [589792] High CVE-2016-1653: Out-of-bounds write in V8. Credit to Choongwoo Han.
- [591785] Medium CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding. Credit to kdot working with HP's Zero Day Initiative.
- [589512] Medium CVE-2016-1654: Uninitialized memory read in media. Credit to Atte Kettunen of OUSPG.
- [582008] Medium CVE-2016-1655: Use-after-free related to extensions. Credit to Rob Wu.
- [570750] Medium CVE-2016-1656: Android downloaded file path restriction bypass. Credit to Dzmitry Lukyanenko.
- [567445] Medium CVE-2016-1657: Address bar spoofing. Credit to Luan Herrera.
- [573317] Low CVE-2016-1658: Potential leak of sensitive information to malicious extensions. Credit to Antonio Sanso (@asanso) of Adobe.
- [602697] CVE-2016-1659: Various fixes from internal audits, fuzzing and other initiatives.
Jouni Malinen reports:
wpa_supplicant unauthorized WNM Sleep Mode GTK control. (2015-6 - CVE-2015-5310)
EAP-pwd missing last fragment length validation. (2015-7 - CVE-2015-5315)
EAP-pwd peer error path failure on unexpected Confirm message. (2015-8 - CVE-2015-5316)
MITRE reports:
The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products, does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a large length value of an option in a DHCPACK message.
MITRE reports:
The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other products, misinterprets the return value of the snprintf function, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted message.
The Asterisk project reports:
PJProject has a limit on the number of TCP connections that it can accept. Furthermore, PJProject does not close TCP connections it accepts. By default, this value is approximately 60.
An attacker can deplete the number of allowed TCP connections by opening TCP connections and sending no data to Asterisk.
If PJProject has been compiled in debug mode, then once the number of allowed TCP connections has been depleted, the next attempted TCP connection to Asterisk will crash due to an assertion in PJProject.
If PJProject has not been compiled in debug mode, then any further TCP connection attempts will be rejected. This makes Asterisk unable to process TCP SIP traffic.
Note that this only affects TCP/TLS, since UDP is connectionless.
The Asterisk project reports:
Asterisk may crash when processing an incoming REGISTER request if that REGISTER contains a Contact header with a lengthy URI.
This crash will only happen for requests that pass authentication. Unauthenticated REGISTER requests will not result in a crash occurring.
This vulnerability only affects Asterisk when using PJSIP as its SIP stack. The chan_sip module does not have this problem.
Jason Buberel reports:
Go has an infinite loop in several big integer routines that makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client authentication or the Go ssh server libraries are both exposed to this vulnerability.
Samba team reports:
[CVE-2015-5370] Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks.
[CVE-2016-2110] The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL.
[CVE-2016-2111] When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel's endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic.
[CVE-2016-2112] A man in the middle is able to downgrade LDAP connections to no integrity protection.
[CVE-2016-2113] Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://).
[CVE-2016-2114] Due to a bug Samba doesn't enforce required smb signing, even if explicitly configured.
[CVE-2016-2115] The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection.
[CVE-2016-2118] a.k.a. BADLOCK. A man in the middle can intercept any DCERPC traffic between a client and a server in order to impersonate the client and get the same privileges as the authenticated user account. This is most problematic against active directory domain controllers.
The PHP Group reports:
- Fileinfo:
- Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic file).
- mbstring:
- Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in mbfl_strcut).
- Phar:
- Fixed bug #71860 (Invalid memory write in phar on filename with \0 in name).
- SNMP:
- Fixed bug #71704 (php_snmp_error() Format String Vulnerability).
- Standard:
- Fixed bug #71798 (Integer Overflow in php_raw_url_encode).
Mitre reports:
The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
Djblets Release Notes reports:
A recently-discovered vulnerability in the datagrid templates allows an attacker to generate a URL to any datagrid page containing malicious code in a column sorting value. If the user visits that URL and then clicks that column, the code will execute.
The cause of the vulnerability was due to a template not escaping user-provided values.
Marina Glancy reports:
MSA-16-0003: Incorrect capability check when displaying users emails in Participants list
MSA-16-0004: XSS from profile fields from external db
MSA-16-0005: Reflected XSS in mod_data advanced search
MSA-16-0006: Hidden courses are shown to students in Event Monitor
MSA-16-0007: Non-Editing Instructor role can edit exclude checkbox in Single View
MSA-16-0008: External function get_calendar_events return events that pertains to hidden activities
MSA-16-0009: CSRF in Assignment plugin management page
MSA-16-0010: Enumeration of category details possible without authentication
MSA-16-0011: Add no referrer to links with _blank target attribute
MSA-16-0012: External function mod_assign_save_submission does not check due dates
Squid security advisory 2016:3 reports:
Due to a buffer overrun Squid pinger binary is vulnerable to denial of service or information leak attack when processing ICMPv6 packets.
This bug also permits the server response to manipulate other ICMP and ICMPv6 queries processing to cause information leak.
This bug allows any remote server to perform a denial of service attack on the Squid service by crashing the pinger. This may affect Squid HTTP routing decisions. In some configurations, sub-optimal routing decisions may result in serious service degradation or even transaction failures.
If the system does not contain buffer-overrun protection leading to that crash this bug will instead allow attackers to leak arbitrary amounts of information from the heap into Squid log files. This is of higher importance than usual because the pinger process operates with root priviliges.
Squid security advisory 2016:4 reports:
Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses.
This problem allows a malicious client script and remote server delivering certain unusual HTTP response syntax to trigger a denial of service for all clients accessing the Squid service.
PostgreSQL project reports:
Security Fixes for RLS, BRIN
This release closes security hole CVE-2016-2193 (https://access.redhat.com/security/cve/CVE-2016-2193), where a query plan might get reused for more than one ROLE in the same session. This could cause the wrong set of Row Level Security (RLS) policies to be used for the query.
The update also fixes CVE-2016-3065 (https://access.redhat.com/security/cve/CVE-2016-3065), a server crash bug triggered by using `pageinspect` with BRIN index pages. Since an attacker might be able to expose a few bytes of server memory, this crash is being treated as a security issue.
Adobe reports:
These updates resolve integer overflow vulnerabilities that could lead to code execution (CVE-2016-0963, CVE-2016-0993, CVE-2016-1010).
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, CVE-2016-1000).
These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2016-1001).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, CVE-2016-1005).
The botan developers reports:
Infinite loop in modular square root algorithm - The ressol function implements the Tonelli-Shanks algorithm for finding square roots could be sent into a nearly infinite loop due to a misplaced conditional check. This could occur if a composite modulus is provided, as this algorithm is only defined for primes. This function is exposed to attacker controlled input via the OS2ECP function during ECC point decompression.
Heap overflow on invalid ECC point - The PointGFp constructor did not check that the affine coordinate arguments were less than the prime, but then in curve multiplication assumed that both arguments if multiplied would fit into an integer twice the size of the prime.
The bigint_mul and bigint_sqr functions received the size of the output buffer, but only used it to dispatch to a faster algorithm in cases where there was sufficient output space to call an unrolled multiplication function.
The result is a heap overflow accessible via ECC point decoding, which accepted untrusted inputs. This is likely exploitable for remote code execution.
On systems which use the mlock pool allocator, it would allow an attacker to overwrite memory held in secure_vector objects. After this point the write will hit the guard page at the end of the mmapped region so it probably could not be used for code execution directly, but would allow overwriting adjacent key material.
The botan developers reports:
Excess memory allocation in BER decoder - The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might cause the process to run out of memory or invoke the OOM killer.
Crash in BER decoder - The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be used to easily crash applications reading untrusted ASN.1 data, but does not seem exploitable for code execution.
Mercurial reports:
CVE-2016-3630: Remote code execution in binary delta decoding
CVE-2016-3068: Arbitrary code execution with Git subrepos
CVE-2016-3069: Arbitrary code execution when converting Git repos
Google Chrome Releases reports:
[594574] High CVE-2016-1646: Out-of-bounds read in V8.
[590284] High CVE-2016-1647: Use-after-free in Navigation.
[590455] High CVE-2016-1648: Use-after-free in Extensions.
[597518] CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives.
Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch
Google Chrome Releases reports:
[589838] High CVE-2016-1643: Type confusion in Blink.
[590620] High CVE-2016-1644: Use-after-free in Blink.
[587227] High CVE-2016-1645: Out-of-bounds write in PDFium.
ISC reports:
A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure.
ISC reports:
A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c
ISC reports:
An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c.
SaltStack reports:
This issue affects all Salt versions prior to 2015.8.8/2015.5.10 when PAM external authentication is enabled. This issue involves passing an alternative PAM authentication service with a command that is sent to LocalClient, enabling the attacker to bypass the configured authentication service.
Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports:
JMS Object messages depends on Java Serialization for marshaling/unmashaling of the message payload. There are a couple of places inside the broker where deserialization can occur, like web console or stomp object message transformation. As deserialization of untrusted data can lead to security flaws as demonstrated in various reports, this leaves the broker vulnerable to this attack vector. Additionally, applications that consume ObjectMessage type of messages can be vulnerable as they deserialize objects on ObjectMessage.getObject() calls.
Michael Furman reports:
The web based administration console does not set the X-Frame-Options header in HTTP responses. This allows the console to be embedded in a frame or iframe which could then be used to cause a user to perform an unintended action in the console.
Vladimir Ivanov (Positive Technologies) reports:
Several instances of cross-site scripting vulnerabilities were identified to be present in the web based administration console as well as the ability to trigger a Java memory dump into an arbitrary folder. The root cause of these issues are improper user data output validation and incorrect permissions configured on Jolokia.
Philip Hazel reports:
PCRE does not validate that handling the (*ACCEPT) verb will occur within the bounds of the cworkspace stack buffer, leading to a stack buffer overflow.
Stelios Tsampas reports:
A (remotely exploitable) heap overflow vulnerability was found in Kamailio v4.3.4.
Arun Suresh reports:
RPC traffic from clients, potentially including authentication credentials, may be intercepted by a malicious user with access to run tasks or containers on a cluster.
Debian reports:
integer overflow due to a loop which adds more to "len".
Debian reports:
"int" is the wrong data type for ... nlen assignment.
Jeremiah Senkpiel reports:
Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks.
Fix a defect that can cause memory corruption in certain very rare cases
Fix a defect that makes the CacheBleed Attack possible
Matt Johnson reports:
Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions
Martin Barbella reports:
JpGraph is an object oriented library for PHP that can be used to create various types of graphs which also contains support for client side image maps. The GetURLArguments function for the JpGraph's Graph class does not properly sanitize the names of get and post variables, leading to a cross site scripting vulnerability.
The PHP Group reports:
- Core:
- Fixed bug #71637 (Multiple Heap Overflow due to integer overflows in xml/filter_url/addcslashes).
- SOAP:
- Fixed bug #71610 (Type Confusion Vulnerability - SOAP / make_http_soap_request()).
The PHP Group reports:
- Phar:
- Fixed bug #71498 (Out-of-Bound Read in phar_parse_zipfile()).
- WDDX:
- Fixed bug #71587 (Use-After-Free / Double-Free in WDDX Deserialize).
The OpenSSH project reports:
Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1).
Injection of xauth commands grants the ability to read arbitrary files under the authenticated user's privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth(1), which was not written with a hostile user in mind, as an attack surface.
Mitigation:
Set X11Forwarding=no in sshd_config. This is the default.
For authorized_keys that specify a "command" restriction, also set the "restrict" (available in OpenSSH >=7.2) or "no-x11-forwarding" restrictions.
Donald Sharp reports:
A malicious BGP peer may execute arbitrary code in particularly configured remote bgpd hosts.
special reports:
By sending a nickname with some HTML tags in a contact request, an attacker could cause Ricochet to make network requests without Tor after the request is accepted, which would reveal the user's IP address.
Hanno Bock reports:
The pidgin-otr plugin version 4.0.2 fixes a heap use after free error. The bug is triggered when a user tries to authenticate a buddy and happens in the function create_smp_dialog.
X41 D-Sec reports:
A remote attacker may crash or execute arbitrary code in libotr by sending large OTR messages.
Google Chrome Releases reports:
[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.
Mozilla Foundation reports:
Security researcher Luke Li reported a pointer underflow bug in the Brotli library's decompression that leads to a buffer overflow. This results in a potentially exploitable crash when triggered.
Mozilla Foundation reports:
MFSA 2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)
MFSA 2016-17 Local file overwriting and potential privilege escalation through CSP reports
MFSA 2016-18 CSP reports fail to strip location information for embedded iframe pages
MFSA 2016-19 Linux video memory DOS with Intel drivers
MFSA 2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
MFSA 2016-21 Displayed page address can be overridden
MFSA 2016-22 Service Worker Manager out-of-bounds read in Service Worker Manager
MFSA 2016-23 Use-after-free in HTML5 string parser
MFSA 2016-24 Use-after-free in SetBody
MFSA 2016-25 Use-after-free when using multiple WebRTC data channels
MFSA 2016-26 Memory corruption when modifying a file being read by FileReader
MFSA 2016-27 Use-after-free during XML transformations
MFSA 2016-28 Addressbar spoofing though history navigation and Location protocol property
MFSA 2016-29 Same-origin policy violation using perfomance.getEntries and history navigation with session restore
MFSA 2016-31 Memory corruption with malicious NPAPI plugin
MFSA 2016-32 WebRTC and LibVPX vulnerabilities found through code inspection
MFSA 2016-33 Use-after-free in GetStaticInstance in WebRTC
MFSA 2016-34 Out-of-bounds read in HTML parser following a failed allocation
Mozilla Foundation reports:
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts.
Security researcher James Clawson used the Address Sanitizer tool to discover an out-of-bounds write in the Graphite 2 library when loading a crafted Graphite font file. This results in a potentially exploitable crash.
Mozilla Foundation reports:
Security researcher Francis Gabriel reported a heap-based buffer overflow in the way the Network Security Services (NSS) libraries parsed certain ASN.1 structures. An attacker could create a specially-crafted certificate which, when parsed by NSS, would cause it to crash or execute arbitrary code with the permissions of the user.
Mozilla developer Tim Taubert used the Address Sanitizer tool and software fuzzing to discover a use-after-free vulnerability while processing DER encoded keys in the Network Security Services (NSS) libraries. The vulnerability overwrites the freed memory with zeroes.
Mozilla Foundation reports:
Security researcher Hanno Böck reported that calculations with mp_div and mp_exptmod in Network Security Services (NSS) can produce wrong results in some circumstances. These functions are used within NSS for a variety of cryptographic division functions, leading to potential cryptographic weaknesses.
Mozilla developer Eric Rescorla reported that a failed allocation during DHE and ECDHE handshakes would lead to a use-after-free vulnerability.
Tim Graham reports:
Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
User enumeration through timing difference on password hasher work factor upgrade
Samuel Sidler reports:
WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.4.1 and earlier are affected by two security issues: a possible SSRF for certain local URIs, reported by Ronni Skansing; and an open redirection attack, reported by Shailesh Suthar.
Simon G. Tatham reports:
Many versions of PSCP prior to 0.67 have a stack corruption vulnerability in their treatment of the 'sink' direction (i.e. downloading from server to client) of the old-style SCP protocol.
In order for this vulnerability to be exploited, the user must connect to a malicious server and attempt to download any file.[...] you can work around it in a vulnerable PSCP by using the -sftp option to force the use of the newer SFTP protocol, provided your server supports that protocol.
Sebastien Delafond reports:
Jakub Palaczynski discovered that websvn, a web viewer for Subversion repositories, does not correctly sanitize user-supplied input, which allows a remote user to run reflected cross-site scripting attacks.
Thijs Kinkhorst reports:
James Clawson reported:
"Arbitrary files with a known path can be accessed in websvn by committing a symlink to a repository and then downloading the file (using the download link).
An attacker must have write access to the repo, and the download option must have been enabled in the websvn config file."
Ruby on Rails blog:
Rails 4.2.5.2, 4.1.14.2, and 3.2.22.2 have been released! These contain the following important security fixes, and it is recommended that users upgrade as soon as possible.
Google Chrome Releases reports:
[560011] High CVE-2016-1630: Same-origin bypass in Blink.
[569496] High CVE-2016-1631: Same-origin bypass in Pepper Plugin.
[549986] High CVE-2016-1632: Bad cast in Extensions.
[572537] High CVE-2016-1633: Use-after-free in Blink.
[559292] High CVE-2016-1634: Use-after-free in Blink.
[585268] High CVE-2016-1635: Use-after-free in Blink.
[584155] High CVE-2016-1636: SRI Validation Bypass.
[555544] Medium CVE-2016-1637: Information Leak in Skia.
[585282] Medium CVE-2016-1638: WebAPI Bypass.
[572224] Medium CVE-2016-1639: Use-after-free in WebRTC.
[550047] Medium CVE-2016-1640: Origin confusion in Extensions UI.
[583718] Medium CVE-2016-1641: Use-after-free in Favicon.
[591402] CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives.
Multiple vulnerabilities in V8 fixed.
Andreas Schneider reports:
libssh versions 0.1 and above have a bits/bytes confusion bug and generate an abnormally short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively. There are practical algorithms (Baby steps/Giant steps, Pollard’s rho) that can solve this problem in O(2^63) operations.
Both client and server are are vulnerable, pre-authentication. This vulnerability could be exploited by an eavesdropper with enough resources to decrypt or intercept SSH sessions. The bug was found during an internal code review by Aris Adamantiadis of the libssh team.
The Exim development team reports:
All installations having Exim set-uid root and using 'perl_startup' are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (and this is normally any user) can gain root privileges. If you do not use 'perl_startup' you should be safe.
The Cacti Group, Inc. reports:
Changelog
- bug:0002652: CVE-2015-8604: SQL injection in graphs_new.php
- bug:0002655: CVE-2015-8377: SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php
- bug:0002656: Authentication using web authentication as a user not in the cacti database allows complete access
The phpMyAdmin development team reports:
XSS vulnerability in SQL parser.
Using a crafted SQL query, it is possible to trigger an XSS attack through the SQL query page.
We consider this vulnerability to be non-critical.
Multiple XSS vulnerabilities.
By sending a specially crafted URL as part of the HOST header, it is possible to trigger an XSS attack.
A weakness was found that allows an XSS attack with Internet Explorer versions older than 8 and Safari on Windows using a specially crafted URL.
Using a crafted SQL query, it is possible to trigger an XSS attack through the SQL query page.
Using a crafted parameter value, it is possible to trigger an XSS attack in user accounts page.
Using a crafted parameter value, it is possible to trigger an XSS attack in zoom search page.
We consider this vulnerability to be non-critical.
Multiple XSS vulnerabilities.
With a crafted table/column name it is possible to trigger an XSS attack in the database normalization page.
With a crafted parameter it is possible to trigger an XSS attack in the database structure page.
With a crafted parameter it is possible to trigger an XSS attack in central columns page.
We consider this vulnerability to be non-critical.
Vulnerability allowing man-in-the-middle attack on API call to GitHub.
A vulnerability in the API call to GitHub can be exploited to perform a man-in-the-middle attack.
We consider this vulnerability to be serious.
Wireshark development team reports:
The following vulnerabilities have been fixed:
wnpa-sec-2016-02
ASN.1 BER dissector crash. (Bug 11828) CVE-2016-2522
wnpa-sec-2016-03
DNP dissector infinite loop. (Bug 11938) CVE-2016-2523
wnpa-sec-2016-04
X.509AF dissector crash. (Bug 12002) CVE-2016-2524
wnpa-sec-2016-05
HTTP/2 dissector crash. (Bug 12077) CVE-2016-2525
wnpa-sec-2016-06
HiQnet dissector crash. (Bug 11983) CVE-2016-2526
wnpa-sec-2016-07
3GPP TS 32.423 Trace file parser crash. (Bug 11982)
CVE-2016-2527wnpa-sec-2016-08
LBMC dissector crash. (Bug 11984) CVE-2016-2528
wnpa-sec-2016-09
iSeries file parser crash. (Bug 11985) CVE-2016-2529
wnpa-sec-2016-10
RSL dissector crash. (Bug 11829) CVE-2016-2530 CVE-2016-2531
wnpa-sec-2016-11
LLRP dissector crash. (Bug 12048) CVE-2016-2532
wnpa-sec-2016-12
Ixia IxVeriWave file parser crash. (Bug 11795)
wnpa-sec-2016-13
IEEE 802.11 dissector crash. (Bug 11818)
wnpa-sec-2016-14
GSM A-bis OML dissector crash. (Bug 11825)
wnpa-sec-2016-15
ASN.1 BER dissector crash. (Bug 12106)
wnpa-sec-2016-16
SPICE dissector large loop. (Bug 12151)
wnpa-sec-2016-17
NFS dissector crash.
wnpa-sec-2016-18
ASN.1 BER dissector crash. (Bug 11822)
Wireshark development team reports:
The following vulnerabilities have been fixed:
wnpa-sec-2015-31
NBAP dissector crashes. (Bug 11602, Bug 11835, Bug 11841)
wnpa-sec-2015-37
NLM dissector crash.
wnpa-sec-2015-39
BER dissector crash.
wnpa-sec-2015-40
Zlib decompression crash. (Bug 11548)
wnpa-sec-2015-41
SCTP dissector crash. (Bug 11767)
wnpa-sec-2015-42
802.11 decryption crash. (Bug 11790, Bug 11826)
wnpa-sec-2015-43
DIAMETER dissector crash. (Bug 11792)
wnpa-sec-2015-44
VeriWave file parser crashes. (Bug 11789, Bug 11791)
wnpa-sec-2015-45
RSVP dissector crash. (Bug 11793)
wnpa-sec-2015-46
ANSI A and GSM A dissector crashes. (Bug 11797)
wnpa-sec-2015-47
Ascend file parser crash. (Bug 11794)
wnpa-sec-2015-48
NBAP dissector crash. (Bug 11815)
wnpa-sec-2015-49
RSL dissector crash. (Bug 11829)
wnpa-sec-2015-50
ZigBee ZCL dissector crash. (Bug 11830)
wnpa-sec-2015-51
Sniffer file parser crash. (Bug 11827)
wnpa-sec-2015-52
NWP dissector crash. (Bug 11726)
wnpa-sec-2015-53
BT ATT dissector crash. (Bug 11817)
wnpa-sec-2015-54
MP2T file parser crash. (Bug 11820)
wnpa-sec-2015-55
MP2T file parser crash. (Bug 11821)
wnpa-sec-2015-56
S7COMM dissector crash. (Bug 11823)
wnpa-sec-2015-57
IPMI dissector crash. (Bug 11831)
wnpa-sec-2015-58
TDS dissector crash. (Bug 11846)
wnpa-sec-2015-59
PPI dissector crash. (Bug 11876)
wnpa-sec-2015-60
MS-WSP dissector crash. (Bug 11931)
Mark Thomas reports:
CVE-2015-5346 Apache Tomcat Session fixation
CVE-2015-5351 Apache Tomcat CSRF token leak
CVE-2016-0763 Apache Tomcat Security Manager Bypass
Mark Thomas reports:
CVE-2015-5345 Apache Tomcat Directory disclosure
CVE-2016-0706 Apache Tomcat Security Manager bypass
CVE-2016-0714 Apache Tomcat Security Manager Bypass
The Apache Software Foundation reports:
The Xerces-C XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.
Tim Graham reports:
User with "change" but not "add" permission can create objects for ModelAdmin’s with save_as=True
The Xen Project reports:
VMX refuses attempts to enter a guest with an instruction pointer which doesn't satisfy certain requirements. In particular, the instruction pointer needs to be canonical when entering a guest currently in 64-bit mode. This is the case even if the VM entry information specifies an exception to be injected immediately (in which case the bad instruction pointer would possibly never get used for other than pushing onto the exception handler's stack). Provided the guest OS allows user mode to map the virtual memory space immediately below the canonical/non-canonical address boundary, a non-canonical instruction pointer can result even from normal user mode execution. VM entry failure, however, is fatal to the guest.
Malicious HVM guest user mode code may be able to crash the guest.
The Xen Project reports:
While INVLPG does not cause a General Protection Fault when used on a non-canonical address, INVVPID in its "individual address" variant, which is used to back the intercepted INVLPG in certain cases, fails in such cases. Failure of INVVPID results in a hypervisor bug check.
A malicious guest can crash the host, leading to a Denial of Service.
The Xen Project reports:
The PV superpage functionality lacks certain validity checks on data being passed to the hypervisor by guests. This is the case for the page identifier (MFN) passed to MMUEXT_MARK_SUPER and MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as well as for various forms of page table updates.
Use of the feature, which is disabled by default, may have unknown effects, ranging from information leaks through Denial of Service to privilege escalation.
Marina Glancy reports:
MSA-16-0001: Two enrolment-related web services don't check course visibility
MSA-16-0002: XSS Vulnerability in course management search
Luke Farone reports:
Double-clicking a file in the user's media library with a specially-crafted path or filename allows for arbitrary code execution with the permissions of the user running Pitivi.
Hans Jerry Illikainen reports:
A heap overflow may occur in the giffix utility included in giflib-5.1.1 when processing records of the type `IMAGE_DESC_RECORD_TYPE' due to the allocated size of `LineBuffer' equaling the value of the logical screen width, `GifFileIn->SWidth', while subsequently having `GifFileIn->Image.Width' bytes of data written to it.
Drupal Security Team reports:
File upload access bypass and denial of service (File module - Drupal 7 and 8 - Moderately Critical)
Brute force amplification attacks via XML-RPC (XML-RPC server - Drupal 6 and 7 - Moderately Critical)
Open redirect via path manipulation (Base system - Drupal 6, 7 and 8 - Moderately Critical)
Form API ignores access restrictions on submit buttons (Form API - Drupal 6 - Critical)
HTTP header injection using line breaks (Base system - Drupal 6 - Moderately Critical)
Open redirect via double-encoded 'destination' parameter (Base system - Drupal 6 - Moderately Critical)
Reflected file download vulnerability (System module - Drupal 6 and 7 - Moderately Critical)
Saving user accounts can sometimes grant the user all roles (User module - Drupal 6 and 7 - Less Critical)
Email address can be matched to an account (User module - Drupal 7 and 8 - Less Critical)
Session data truncation can lead to unserialization of user provided data (Base system - Drupal 6 - Less Critical)
Jenkins Security Advisory:
Description
SECURITY-232 / CVE-2016-0788(Remote code execution vulnerability in remoting module)
A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins master process, which allowed arbitrary code execution.
SECURITY-238 / CVE-2016-0789(HTTP response splitting vulnerability)
An HTTP response splitting vulnerability in the CLI command documentation allowed attackers to craft Jenkins URLs that serve malicious content.
SECURITY-241 / CVE-2016-0790(Non-constant time comparison of API token)
The verification of user-provided API tokens with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid API tokens using brute-force methods.
SECURITY-245 / CVE-2016-0791(Non-constant time comparison of CSRF crumbs)
The verification of user-provided CSRF crumbs with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid CSRF crumbs using brute-force methods.
SECURITY-247 / CVE-2016-0792(Remote code execution through remote API)
Jenkins has several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.
Squid security advisory 2016:2 reports:
Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses.
These problems allow remote servers delivering certain unusual HTTP response syntax to trigger a denial of service for all clients accessing the Squid service.
HTTP responses containing malformed headers that trigger this issue are becoming common. We are not certain at this time if that is a sign of malware or just broken server scripting.
Stian Soiland-Reyes reports:
This release fixes a remote code execution vulnerability that was identified in BeanShell by Alvaro Muñoz and Christian Schneider. The BeanShell team would like to thank them for their help and contributions to this fix!
An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source.
A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands.
This update fixes the vulnerability in BeanShell, but it is worth noting that applications doing such deserialization might still be insecure through other libraries. It is recommended that application developers take further measures such as using a restricted class loader when deserializing. See notes on Java serialization security XStream security and How to secure deserialization from untrusted input without using encryption or sealing.
libsrtp reports:
Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length. Credit goes to Randell Jesup and the Firefox team for reporting this issue.
oCERT reports:
The library is affected by a double-free vulnerability in function jas_iccattrval_destroy() as well as a heap-based buffer overflow in function jp2_decode(). A specially crafted jp2 file can be used to trigger the vulnerabilities.
oCERT reports:
The library is affected by an off-by-one error in a buffer boundary check in jpc_dec_process_sot(), leading to a heap based buffer overflow, as well as multiple unrestricted stack memory use issues in jpc_qmfb.c, leading to stack overflow. A specially crafted jp2 file can be used to trigger the vulnerabilities.
oCERT reports:
Multiple off-by-one flaws, leading to heap-based buffer overflows, were found in the way JasPer decoded JPEG 2000 files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
limingxing reports:
A vulnerability was found in the way the JasPer's jas_matrix_clip() function parses certain JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
Google Chrome Releases reports:
[583431] Critical CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome. Credit to anonymous.
Fabio Olive Leite reports:
A stack-based buffer overflow was found in libresolv when invoked from nss_dns, allowing specially crafted DNS responses to seize control of EIP in the DNS client. The buffer overflow occurs in the functions send_dg (send datagram) and send_vc (send TCP) for the NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC family, or in some cases AF_INET6 family. The use of AF_UNSPEC (or AF_INET6 in some cases) triggers the low-level resolver code to send out two parallel queries for A and AAAA. A mismanagement of the buffers used for those queries could result in the response of a query writing beyond the alloca allocated buffer created by __res_nquery.
Squid security advisory 2016:1 reports:
Due to incorrectly handling server errors Squid is vulnerable to a denial of service attack when connecting to TLS or SSL servers.
This problem allows any trusted client to perform a denial of service attack on the Squid service regardless of whether TLS or SSL is configured for use in the proxy.
Misconfigured client or server software may trigger this issue to perform a denial of service unintentionally.
However, the bug is exploitable only if Squid is built using the --with-openssl option.
The FreeBSD port does not use SSL by default and is not vulnerable in the default configuration.
Jakub Vrana reports:
Fix remote code execution in SQLite query
Jakub Vrana reports:
Fix XSS in indexes (non-MySQL only)
Jakub Vrana reports:
Fix XSS in alter table
Jakub Vrana reports:
Fix XSS in login form
GnuPG reports:
Mitigate side-channel attack on ECDH with Weierstrass curves.
Stepan Golosunov reports:
Buffer overflow was found and fixed in xdelta3 binary diff tool that allows arbitrary code execution from input files at least on some systems.
The Mozilla Foundation reports:
MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests. For example, a forged crossdomain.xml could allow a malicious site to violate the same-origin policy using the Flash plugin.
Nghttp2 reports:
Out of memory in nghttpd, nghttp, and libnghttp2_asio applications due to unlimited incoming HTTP header fields.
nghttpd, nghttp, and libnghttp2_asio applications do not limit the memory usage for the incoming HTTP header field. If peer sends specially crafted HTTP/2 HEADERS frames and CONTINUATION frames, they will crash with out of memory error.
Note that libnghttp2 itself is not affected by this vulnerability.
The Horde Team reports:
Fixed XSS vulnerabilities in menu bar and form renderer.
PostgreSQL project reports:
Security Fixes for Regular Expressions, PL/Java
- CVE-2016-0773: This release closes security hole CVE-2016-0773, an issue with regular expression (regex) parsing. Prior code allowed users to pass in expressions which included out-of-range Unicode characters, triggering a backend crash. This issue is critical for PostgreSQL systems with untrusted users or which generate regexes based on user input.
- CVE-2016-0766: The update also fixes CVE-2016-0766, a privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCS) for PL/Java will now be modifiable only by the database superuser
Adobe reports:
These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2016-0985).
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984).
These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-0971).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-0964, CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968, CVE-2016-0969, CVE-2016-0970, CVE-2016-0972, CVE-2016-0976, CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980, CVE-2016-0981).
Frank Denis reports:
Malformed packets could lead to denial of service or code execution.
Google Chrome Releases reports:
6 security fixes in this release, including:
- [546677] High CVE-2016-1622: Same-origin bypass in Extensions. Credit to anonymous.
- [577105] High CVE-2016-1623: Same-origin bypass in DOM. Credit to Mariusz Mlynski.
- [509313] Medium CVE-2016-1625: Navigation bypass in Chrome Instant. Credit to Jann Horn.
- [571480] Medium CVE-2016-1626: Out-of-bounds read in PDFium. Credit to anonymous, working with HP's Zero Day Initiative.
- [585517] CVE-2016-1627: Various fixes from internal audits, fuzzing and other initiatives.
Talos reports:
An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service.
A specially crafted font can cause a buffer overflow resulting in potential code execution.
An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause a NULL pointer dereference resulting in a crash.
J.C. Cleaver reports:
CVE-2016-2054: Buffer overflow in xymond handling of "config" command
CVE-2016-2055: Access to possibly confidential files in the Xymon configuration directory
CVE-2016-2056: Shell command injection in the "useradm" and "chpasswd" web applications
CVE-2016-2057: Incorrect permissions on IPC queues used by the xymond daemon can bypass IP access filtering
CVE-2016-2058: Javascript injection in "detailed status webpage" of monitoring items; XSS vulnerability via malformed acknowledgment messages
PHP reports:
- Core:
- Fixed bug #71039 (exec functions ignore length but look for NULL termination).
- Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input).
- Fixed bug #71459 (Integer overflow in iptcembed()).
- PCRE:
- Upgraded bundled PCRE library to 8.38.(CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)
- Phar:
- Fixed bug #71354 (Heap corruption in tar/zip/phar parser).
- Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()).
- Fixed bug #71488 (Stack overflow when decompressing tar archives). (CVE-2016-2554)
- WDDX:
- Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization).
The Pillow maintainers report:
In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, PcdDecode.c has a buffer overflow error.
The state.buffer for PcdDecode.c is allocated based on a 3 bytes per pixel sizing, where PcdDecode.c wrote into the buffer assuming 4 bytes per pixel. This writes 768 bytes beyond the end of the buffer into other Python object storage. In some cases, this causes a segfault, in others an internal Python malloc error.
The Pillow maintainers report:
If a large value was passed into the new size for an image, it is possible to overflow an int32 value passed into malloc, leading the malloc’d buffer to be undersized. These allocations are followed by a loop that writes out of bounds. This can lead to corruption on the heap of the Python process with attacker controlled float data.
This issue was found by Ned Williamson.
The Pillow maintainers report:
In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error.
There is a memcpy error where x is added to a target buffer address. X is used in several internal temporary variable roles, but can take a value up to the width of the image. Im->image[y] is a set of row pointers to segments of memory that are the size of the row. At the max y, this will write the contents of the line off the end of the memory buffer, causing a segfault.
This issue was found by Alyssa Besseling at Atlassian.
The Pillow maintainers report:
Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64 may overflow a buffer when reading a specially crafted tiff file.
Specifically, libtiff >= 4.0.0 changed the return type of TIFFScanlineSize from int32 to machine dependent int32|64. If the scanline is sized so that it overflows an int32, it may be interpreted as a negative number, which will then pass the size check in TiffDecode.c line 236. To do this, the logical scanline size has to be > 2gb, and for the test file, the allocated buffer size is 64k against a roughly 4gb scan line size. Any image data over 64k is written over the heap, causing a segfault.
This issue was found by security researcher FourOne.
FFmpeg security reports:
FFmpeg 2.8.6 fixes the following vulnerabilities: CVE-2016-2213
Michael Catanzaro reports:
Shotwell has a serious security issue ("Shotwell does not verify TLS certificates"). Upstream is no longer active and I do not expect any further upstream releases unless someone from the community steps up to maintain it.
What is the impact of the issue? If you ever used any of the publish functionality (publish to Facebook, publish to Flickr, etc.), your passwords may have been stolen; changing them is not a bad idea.
What is the risk of the update? Regressions. The easiest way to validate TLS certificates was to upgrade WebKit; it seems to work but I don't have accounts with the online services it supports, so I don't know if photo publishing still works properly on all the services.
webkit reports:
The ScrollView::paint function in platform/scroll/ScrollView.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to spoof the UI by extending scrollbar painting into the parent frame.
Filippo Valsorda reports:
python-rsa is vulnerable to a straightforward variant of the Bleichenbacher'06 attack against RSA signature verification with low public exponent.
The Asterisk project reports:
AST-2016-001 - BEAST vulnerability in HTTP server
AST-2016-002 - File descriptor exhaustion in chan_sip
AST-2016-003 - Remote crash vulnerability when receiving UDPTL FAX data
SaltStack reports:
Improper handling of clear messages on the minion, which could result in executing commands not sent by the master.
Ruby on Rails blog:
Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been released! These contain important security fixes, and it is recommended that users upgrade as soon as possible.
socat reports:
In the OpenSSL address implementation the hard coded 1024 bit DH p parameter was not prime. The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p. Moreover, since there is no indication of how these parameters were chosen, the existence of a trapdoor that makes possible for an eavesdropper to recover the shared secret from a key exchange that uses them cannot be ruled out.
Mozilla Foundation reports:
MFSA 2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)
MFSA 2016-02 Out of Memory crash when parsing GIF format images
MFSA 2016-03 Buffer overflow in WebGL after out of memory allocation
MFSA 2016-04 Firefox allows for control characters to be set in cookie names
MFSA 2016-06 Missing delay following user click events in protocol handler dialog
MFSA 2016-09 Addressbar spoofing attacks
MFSA 2016-10 Unsafe memory manipulation found through code inspection
MFSA 2016-11 Application Reputation service disabled in Firefox 43
CENSUS S.A. reports:
GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone to an integer overflow vulnerability which leads to a buffer overflow and potentially to remote code execution.
GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone to an out-of-bounds read vulnerability due to missing checks.
Maxim Dounin reports:
Several problems in nginx resolver were identified, which might allow an attacker to cause worker process crash, or might have potential other impact if the "resolver" directive is used in a configuration file.
TYPO3 Security Team reports:
It has been discovered that TYPO3 CMS is susceptible to Cross-Site Scripting and Cross-Site Flashing.
nghttp2 reports:
This release fixes heap-use-after-free bug in idle stream handling code. We strongly recommend to upgrade the older installation to this latest version as soon as possible.
Owncloud reports:
Reflected XSS in OCS provider discovery (oC-SA-2016-001)
Information Exposure Through Directory Listing in the file scanner (oC-SA-2016-002)
Disclosure of files that begin with ".v" due to unchecked return value (oC-SA-2016-003)
Radicale reports:
The multifilesystem backend allows access to arbitrary files on all platforms.
Prevent regex injection in rights management.
The phpMyAdmin development team reports:
With a crafted SQL query, it is possible to trigger an XSS attack in the SQL editor.
We consider this vulnerability to be non-critical.
This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required pages.
The phpMyAdmin development team reports:
By calling a particular script that is part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.
We consider this vulnerability to be non-critical.
This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server.
The phpMyAdmin development team reports:
With a crafted table name it is possible to trigger an XSS attack in the database normalization page.
We consider this vulnerability to be non-critical.
This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required page.
The phpMyAdmin development team reports:
By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.
We consider these vulnerabilities to be non-critical.
This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server.
The phpMyAdmin development team reports:
The comparison of the XSRF/CSRF token parameter with the value saved in the session is vulnerable to timing attacks. Moreover, the comparison could be bypassed if the XSRF/CSRF token matches a particular pattern.
We consider this vulnerability to be serious.
The phpMyAdmin development team reports:
Password suggestion functionality uses Math.random() which does not provide cryptographically secure random numbers.
We consider this vulnerability to be non-critical.
The phpMyAdmin development team reports:
- With a crafted table name it is possible to trigger an XSS attack in the database search page.
- With a crafted SET value or a crafted search query, it is possible to trigger an XSS attacks in the zoom search page.
- With a crafted hostname header, it is possible to trigger an XSS attacks in the home page.
We consider these vulnerabilities to be non-critical.
These vulnerabilities can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required pages.
The phpMyAdmin development team reports:
The XSRF/CSRF token is generated with a weak algorithm using functions that do not return cryptographically secure values.
We consider this vulnerability to be non-critical.
The phpMyAdmin development team reports:
By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.
We consider these vulnerabilities to be non-critical.
This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server.
The Prosody team reports:
Adopt key generation algorithm from XEP-0185, to prevent impersonation attacks (CVE-2016-0756)
OpenSSL project reports:
- Historically OpenSSL only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. For example this could be used to discover a TLS server's private DH exponent if it's reusing the private DH exponent or it's using a static DH ciphersuite. OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk. (CVE-2016-0701)
- A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. (CVE-2015-3197)
The cURL project reports:
libcurl will reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer.
Aaron Jorbin reports:
WordPress 4.4.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised. This was reported by Crtc4L.
Privoxy Developers reports:
Prevent invalid reads in case of corrupt chunk-encoded content. CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer.
Remove empty Host headers in client requests. Previously they would result in invalid reads. CVE-2016-1983. Bug discovered with afl-fuzz and AddressSanitizer.
Privoxy Developers reports:
Fixed a DoS issue in case of client requests with incorrect chunk-encoded body. When compiled with assertions enabled (the default) they could previously cause Privoxy to abort(). Reported by Matthew Daley. CVE-2015-1380.
Fixed multiple segmentation faults and memory leaks in the pcrs code. This fix also increases the chances that an invalid pcrs command is rejected as such. Previously some invalid commands would be loaded without error. Note that Privoxy's pcrs sources (action and filter files) are considered trustworthy input and should not be writable by untrusted third-parties. CVE-2015-1381.
Fixed an 'invalid read' bug which could at least theoretically cause Privoxy to crash. So far, no crashes have been observed. CVE-2015-1382.
Privoxy Developers reports:
Fixed a memory leak when rejecting client connections due to the socket limit being reached (CID 66382). This affected Privoxy 3.0.21 when compiled with IPv6 support (on most platforms this is the default).
Fixed an immediate-use-after-free bug (CID 66394) and two additional unconfirmed use-after-free complaints made by Coverity scan (CID 66391, CID 66376).
MITRE reports:
Privoxy before 3.0.22 allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors.
Privoxy Developers reports:
Proxy authentication headers are removed unless the new directive enable-proxy-authentication-forwarding is used. Forwarding the headers potentially allows malicious sites to trick the user into providing them with login information. Reported by Chris John Riley.
MITRE reports:
sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home/*/*/file.txt."
Enlightenment reports:
GIF loader: Fix segv on images without colormap
Prevent division-by-zero crashes.
Fix segfault when opening input/queue/id:000007,src:000000,op:flip1,pos:51 with feh
ISC reports:
Specific APL data could trigger an INSIST in apl_42.c
Google Chrome Releases reports:
This update includes 37 security fixes, including:
- [497632] High CVE-2016-1612: Bad cast in V8.
- [572871] High CVE-2016-1613: Use-after-free in PDFium.
- [544691] Medium CVE-2016-1614: Information leak in Blink.
- [468179] Medium CVE-2016-1615: Origin confusion in Omnibox.
- [541415] Medium CVE-2016-1616: URL Spoofing.
- [544765] Medium CVE-2016-1617: History sniffing with HSTS and CSP.
- [552749] Medium CVE-2016-1618: Weak random number generator in Blink.
- [557223] Medium CVE-2016-1619: Out-of-bounds read in PDFium.
- [579625] CVE-2016-1620: Various fixes from internal audits, fuzzing and other initiatives.
- Multiple vulnerabilities in V8 fixed at the tip of the 4.8 branch.
Network Time Foundation reports:
NTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016:
- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.
- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass. Reported by Cisco ASIG.
- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.
- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.
- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.
- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.
- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.
- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.
- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.
Additionally, mitigations are published for the following two issues:
- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks. Reported by Cisco ASIG.
- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.
Jason A. Donenfeld reports:
Reflected Cross Site Scripting and Header Injection in Mimetype Query String.
Stored Cross Site Scripting and Header Injection in Filename Parameter.
Integer Overflow resulting in Buffer Overflow.
ISC reports:
Problems converting OPT resource records and ECS options to text format can cause BIND to terminate
DrWhax reports:
So in codeconv.c there is a function for Japanese character set conversion called conv_jistoeuc(). There is no bounds checking on the output buffer, which is created on the stack with alloca() Bug can be triggered by sending an email to TAILS_luser@riseup.net or whatever. Since my C is completely rusty, you might be able to make a better judgment on the severity of this issue. Marking critical for now.
MITRE reports:
Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow.
Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive.
Libarchive issue tracker reports:
Using a crafted tar file bsdtar can perform an out-of-bounds memory read which will lead to a SEGFAULT. The issue exists when the executable skips data in the archive. The amount of data to skip is defined in byte offset [16-19] If ASLR is disabled, the issue can lead to an infinite loop.
Jason Buberel reports:
A security-related issue has been reported in Go's math/big package. The issue was introduced in Go 1.5. We recommend that all users upgrade to Go 1.5.3, which fixes the issue. Go programs must be recompiled with Go 1.5.3 in order to receive the fix.
The Go team would like to thank Nick Craig-Wood for identifying the issue.
This issue can affect RSA computations in crypto/rsa, which is used by crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA private key due to this issue. Other protocol implementations that create many RSA signatures could also be impacted in the same way.
Specifically, incorrect results in one part of the RSA Chinese Remainder computation can cause the result to be incorrect in such a way that it leaks one of the primes. While RSA blinding should prevent an attacker from crafting specific inputs that trigger the bug, on 32-bit systems the bug can be expected to occur at random around one in 2^26 times. Thus collecting around 64 million signatures (of known data) from an affected server should be enough to extract the private key used.
On 64-bit systems, the frequency of the bug is so low (less than one in 2^50) that it would be very difficult to exploit. Nonetheless, everyone is strongly encouraged to upgrade.
ISC reports:
A badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally.
Tomas Hoger reports:
A buffer overflow flaw was discovered in the libproxy's url::get_pac() used to download proxy.pac proxy auto-configuration file. A malicious host hosting proxy.pac, or a man in the middle attacker, could use this flaw to trigger a stack-based buffer overflow in an application using libproxy, if proxy configuration instructed it to download proxy.pac file from a remote HTTP server.
Arch Linux reports:
ffmpeg has a vulnerability in the current version that allows the attacker to create a specially crafted video file, downloading which will send files from a user PC to a remote attacker server. The attack does not even require the user to open that file — for example, KDE Dolphin thumbnail generation is enough.
Yakuzo OKU reports:
When redirect directive is used, this flaw allows a remote attacker to inject response headers into an HTTP redirect response.
OpenSSH reports:
OpenSSH clients between versions 5.4 and 7.1 are vulnerable to information disclosure that may allow a malicious server to retrieve information including under some circumstances, user's private keys.
The Prosody Team reports:
Fix path traversal vulnerability in mod_http_files (CVE-2016-1231)
Fix use of weak PRNG in generation of dialback secrets (CVE-2016-1232)
Elastic reports:
Fixes XSS vulnerability (CVE pending) - Thanks to Vladimir Ivanov for responsibly reporting.
Ricardo Signes reports:
Beginning in PathTools 3.47 and/or perl 5.20.0, the File::Spec::canonpath() routine returned untained strings even if passed tainted input. This defect undermines the guarantee of taint propagation, which is sometimes used to ensure that unvalidated user input does not reach sensitive code.
This defect was found and reported by David Golden of MongoDB.
PHP reports:
- Core:
- Fixed bug #70755 (fpm_log.c memory leak and buffer overflow).
- GD:
- Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds).
- SOAP:
- Fixed bug #70900 (SoapClient systematic out of memory error).
- Wddx
- Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).
- Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability).
- XMLRPC:
- Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()).
NVD reports:
The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.
Colin Walters reports:
Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0.113 allows local users to gain privileges by creating a large number of connections, which triggers the issuance of a duplicate cookie value.
The authentication_agent_new function in polkitbackend/polkitbackendinteractiveauthority.c in PolicyKit (aka polkit) before 0.113 allows local users to cause a denial of service (NULL pointer dereference and polkitd daemon crash) by calling RegisterAuthenticationAgent with an invalid object path.
The polkit_backend_action_pool_init function in polkitbackend/polkitbackendactionpool.c in PolicyKit (aka polkit) before 0.113 might allow local users to gain privileges via duplicate action IDs in action descriptions.
PolicyKit (aka polkit) before 0.113 allows local users to cause a denial of service (memory corruption and polkitd daemon crash) and possibly gain privileges via unspecified vectors, related to "javascript rule evaluation."
Michael Samuel reports:
librsync before 1.0.0 uses a truncated MD4 checksum to match blocks, which makes it easier for remote attackers to modify transmitted data via a birthday attack.
Network Time Foundation reports:
NTF's NTP Project has been notified of the following 1 medium-severity vulnerability that is fixed in ntp-4.2.8p5, released on Thursday, 7 January 2016:
NtpBug2956: Small-step/Big-step CVE-2015-5300
Nico Golde reports:
heap overflow via malformed dhcp responses later in print_option (via dhcp_envoption1) due to incorrect option length values. Exploitation is non-trivial, but I'd love to be proven wrong.
invalid read/crash via malformed dhcp responses. not exploitable beyond DoS as far as I can judge.
ARM Limited reports:
MD5 handshake signatures in TLS 1.2 are vulnerable to the SLOTH attack on TLS 1.2 server authentication. They have been disabled by default. Other attacks from the SLOTH paper do not apply to any version of mbed TLS or PolarSSL.
The Xen Project reports:
Single memory accesses in source code can be translated to multiple ones in machine code by the compiler, requiring special caution when accessing shared memory. Such precaution was missing from the hypervisor code inspecting the state of I/O requests sent to the device model for assistance.
Due to the offending field being a bitfield, it is however believed that there is no issue in practice, since compilers, at least when optimizing (which is always the case for non-debug builds), should find it more expensive to extract the bit field value twice than to keep the calculated value in a register.
This vulnerability is exposed to malicious device models. In conventional Xen systems this means the qemu which service an HVM domain. On such systems this vulnerability can only be exploited if the attacker has gained control of the device model qemu via another vulnerability.
Privilege escalation, host crash (Denial of Service), and leaked information all cannot be excluded.
The Xen Project reports:
When XSAVE/XRSTOR are not in use by Xen to manage guest extended register state, the initial values in the FPU stack and XMM registers seen by the guest upon first use are those left there by the previous user of those registers.
A malicious domain may be able to leverage this to obtain sensitive information such as cryptographic keys from another domain.
The Xen Project reports:
When constructing a guest which is configured to use a PV bootloader which runs as a userspace process in the toolstack domain (e.g. pygrub) libxl creates a mapping of the files to be used as kernel and initial ramdisk when building the guest domain.
However if building the domain subsequently fails these mappings would not be released leading to a leak of virtual address space in the calling process, as well as preventing the recovery of the temporary disk files containing the kernel and initial ramdisk.
For toolstacks which manage multiple domains within the same process, an attacker who is able to repeatedly start a suitable domain (or many such domains) can cause an out-of-memory condition in the toolstack process, leading to a denial of service.
Under the same circumstances an attacker can also cause files to accumulate on the toolstack domain filesystem (usually under /var in dom0) used to temporarily store the kernel and initial ramdisk, perhaps leading to a denial of service against arbitrary other services using that filesystem.
The Xen Project reports:
Error handling in the operation may involve handing back pages to the domain. This operation may fail when in parallel the domain gets torn down. So far this failure unconditionally resulted in the host being brought down due to an internal error being assumed. This is CVE-2015-8339.
Furthermore error handling so far wrongly included the release of a lock. That lock, however, was either not acquired or already released on all paths leading to the error handling sequence. This is CVE-2015-8340.
A malicious guest administrator may be able to deny service by crashing the host or causing a deadlock.
zzf of Alibaba discovered an out-of-bounds vulnerability in the code processing the LogLUV and CIE Lab image format files. An attacker could create a specially-crafted TIFF file that could cause libtiff to crash.
LMX of Qihoo 360 Codesafe Team discovered an out-of-bounds read in tif_getimage.c. An attacker could create a specially-crafted TIFF file that could cause libtiff to crash.
Gustavo Grieco reports:
Two issues were found in unzip 6.0:
* A heap overflow triggered by unzipping a file with password (e.g unzip -p -P x sigsegv.zip).
* A denegation of service with a file that never finishes unzipping (e.g. unzip sigxcpu.zip).
NVD reports:
SQL injection vulnerability in include/top_graph_header.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a properties action to graph.php.
ISC Support reports:
ISC Kea may terminate unexpectedly (crash) while handling a malformed client packet. Related defects in the kea-dhcp4 and kea-dhcp6 servers can cause the server to crash during option processing if a client sends a malformed packet. An attacker sending a crafted malformed packet can cause an ISC Kea server providing DHCP services to IPv4 or IPv6 clients to exit unexpectedly.
The kea-dhcp4 server is vulnerable only in versions 0.9.2 and 1.0.0-beta, and furthermore only when logging at debug level 40 or higher. Servers running kea-dhcp4 versions 0.9.1 or lower, and servers which are not logging or are logging at debug level 39 or below are not vulnerable.
The kea-dhcp6 server is vulnerable only in versions 0.9.2 and 1.0.0-beta, and furthermore only when logging at debug level 45 or higher. Servers running kea-dhcp6 versions 0.9.1 or lower, and servers which are not logging or are logging at debug level 44 or below are not vulnerable.
ACME Updates reports:
mini_httpd 1.21 and earlier allows remote attackers to obtain sensitive information from process memory via an HTTP request with a long protocol string, which triggers an incorrect response size calculation and an out-of-bounds read.
(rene) ACME, the author, claims that the vulnerability is fixed *after* version 1.22, released on 2015-12-28
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit(tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments.
A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the Qemu process instance resulting in DoS issue.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the Q35 chipset based pc system emulator is vulnerable to a heap based buffer overflow. It occurs during VM guest migration, as more(16 bytes) data is moved into allocated (8 bytes) memory area.
A privileged guest user could use this issue to corrupt the VM guest image, potentially leading to a DoS. This issue affects q35 machine types.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the Human Monitor Interface(HMP) support is vulnerable to an OOB write issue. It occurs while processing 'sendkey' command in hmp_sendkey routine, if the command argument is longer than the 'keyname_buf' buffer size.
A user/process could use this flaw to crash the Qemu process instance resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the SCSI MegaRAID SAS HBA emulation support is vulnerable to a stack buffer overflow issue. It occurs while processing the SCSI controller's CTRL_GET_INFO command. A privileged guest user could use this flaw to crash the Qemu process instance resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to a memory leakage flaw. It occurs when a guest repeatedly tries to activate the vmxnet3 device.
A privileged guest user could use this flaw to leak host memory, resulting in DoS on the host.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the USB EHCI emulation support is vulnerable to an infinite loop issue. It occurs during communication between host controller interface(EHCI) and a respective device driver. These two communicate via a isochronous transfer descriptor list(iTD) and an infinite loop unfolds if there is a closed loop in this list.
A privileges user inside guest could use this flaw to consume excessive CPU cycles & resources on the host.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the PCI MSI-X support is vulnerable to null pointer dereference issue. It occurs when the controller attempts to write to the pending bit array(PBA) memory region. Because the MSI-X MMIO support did not define the .write method.
A privileges used inside guest could use this flaw to crash the Qemu process resulting in DoS issue.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the VNC display driver support is vulnerable to an arithmetic exception flaw. It occurs on the VNC server side while processing the 'SetPixelFormat' messages from a client.
A privileged remote client could use this flaw to crash the guest resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the AMD PC-Net II Ethernet Controller support is vulnerable to a heap buffer overflow flaw. While receiving packets in the loopback mode, it appends CRC code to the receive buffer. If the data size given is same as the receive buffer size, the appended CRC code overwrites 4 bytes beyond this 's->buffer' array.
A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS or potentially execute arbitrary code with privileges of the Qemu process on the host.
The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets from a remote host(non-loopback mode), fails to validate the received data size, thus resulting in a buffer overflow issue. It could potentially lead to arbitrary code execution on the host, with privileges of the Qemu process. It requires the guest NIC to have larger MTU limit.
A remote user could use this flaw to crash the guest instance resulting in DoS or potentially execute arbitrary code on a remote host with privileges of the Qemu process.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the i8255x (PRO100) emulation support is vulnerable to an infinite loop issue. It could occur while processing a chain of commands located in the Command Block List (CBL). Each Command Block(CB) points to the next command in the list. An infinite loop unfolds if the link to the next CB points to the same block or there is a closed loop in the chain.
A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the Virtual Network Device(virtio-net) support is vulnerable to a DoS issue. It could occur while receiving large packets over the tuntap/macvtap interfaces and when guest's virtio-net driver did not support big/mergeable receive buffers.
An attacker on the local network could use this flaw to disable guest's networking by sending a large number of jumbo frames to the guest, exhausting all receive buffers and thus leading to a DoS situation.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the NE2000 NIC emulation support is vulnerable to an infinite loop issue. It could occur when receiving packets over the network.
A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS.
Qemu emulator built with the NE2000 NIC emulation support is vulnerable to a heap buffer overflow issue. It could occur when receiving packets over the network.
A privileged user inside guest could use this flaw to crash the Qemu instance or potentially execute arbitrary code on the host.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the IDE disk and CD/DVD-ROM emulation support is vulnerable to a divide by zero issue. It could occur while executing an IDE command WIN_READ_NATIVE_MAX to determine the maximum size of a drive.
A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing transmit descriptor data when sending a network packet.
A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the VNC display driver is vulnerable to an infinite loop issue. It could occur while processing a CLIENT_CUT_TEXT message with specially crafted payload message.
A privileged guest user could use this flaw to crash the Qemu process on the host, resulting in DoS.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the VNC display driver support is vulnerable to a buffer overflow flaw leading to a heap memory corruption issue. It could occur while refreshing the server display surface via routine vnc_refresh_server_surface().
A privileged guest user could use this flaw to corrupt the heap memory and crash the Qemu process instance OR potentially use it to execute arbitrary code on the host.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the virtio-serial vmchannel support is vulnerable to a buffer overflow issue. It could occur while exchanging virtio control messages between guest and the host.
A malicious guest could use this flaw to corrupt few bytes of Qemu memory area, potentially crashing the Qemu process.
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the SCSI device emulation support is vulnerable to a stack buffer overflow issue. It could occur while parsing SCSI command descriptor block with an invalid operation code.
A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS.
Petr Matousek of Red Hat Inc. reports:
Due converting PIO to the new memory read/write api we no longer provide separate I/O region lenghts for read and write operations. As a result, reading from PIT Mode/Command register will end with accessing pit->channels with invalid index and potentially cause memory corruption and/or minor information leak.
A privileged guest user in a guest with QEMU PIT emulation enabled could potentially (tough unlikely) use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.
Please note that by default QEMU/KVM guests use in-kernel (KVM) PIT emulation and are thus not vulnerable to this issue.